[35156] in bugtraq
Re: The Linksys WRT54G "security problem" doesn't exist
daemon@ATHENA.MIT.EDU (insecure)
Sat Jun 5 14:39:17 2004
Message-ID: <40C0F145.6010701@ameritech.net>
Date: Fri, 04 Jun 2004 17:01:41 -0500
From: insecure <insecure@ameritech.net>
MIME-Version: 1.0
To: David Pipe <David_Pipe@bio-rad.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: <OF573D37A2.8E5427F6-ON87256EA9.00668BEB-87256EA9.0066B037@bio-rad.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
David Pipe wrote:
>>In a recent client installation I discovered that even if the remote
>>administration function is turned off, the WRT54G provides the
>>administration web page to ports 80 and 443 on the WAN.
>>
>>
>
>I think the "Independent consultant" quoted in InternetWeek is wrong. I
>think he either has a defective router or his cables are plugged into the
>wrong end of the thing.
>
>This clearly works properly on my Linksys WRT54G. No access of
>administrative site on the WAN side when it's turned off. Period.
>
>Comments and questions:
>
>1) No one has been able to confirm this problem. Isn't that right?
>
>2) The "Independent consultant" did not say he tried with more than one
>router, and it appears that he did not ask anyone else if they would
>check this out on their routers before he decided the sky was falling.
>
>3) Thousands and thousands of these things have been sold for months an no
>one has reported this error before.
>
>4) Certainly such an aggregious error would have been discovered before
>now, as hackers routinely bang away at IP addresses and find this stuff.
>
>5) Does he really think that Cisco/Linksys would not test such a basic
>basic basic aspect of this router's security?
>
>6) How did this get on to InternetWeek? Does anyone actually check these
>things out before publishing them?
>
>Please, prove me wrong on all points. Can anyone reproduce this?
>
>Dave
>
>
>
OK, you're wrong on all points. Here's a quote from the vendor:
Linksys, A division of Cisco Systems, Inc.
Product: WRT54G
Classification: Firmware Release History
Firmware Date: 6/2/2004
Release Date: BETA RELEASE
Last Firmware Version: 2.02.8_BETA
__________________________________________________________________________
Firmware 2.02.8_BETA
- Resolved security issue where remote management is enabled on port 80
and 443 when firewall is disabled
