[6563] in bugtraq
Re: Webramp M3 login info
daemon@ATHENA.MIT.EDU (Niek Jongerius)
Tue Apr 21 16:09:00 1998
Date: Tue, 21 Apr 1998 17:22:48 +0200
Reply-To: niek@dupaco.nl
From: Niek Jongerius <niek@DUPACO.NL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199804182235.PAA02783@geocities.com> from
"the_coyote@geocities.com" at Apr 18, 98 04:34:53 pm
> This Seems to be a new problem (if it has been reported
> I have never seen it)
>
> The Product :
>
> Webramp M3
> from Ramp Networks, Inc
>
> The Problem
>
> I have encountered one of these routers logged into a Dial-up
> account. It has the setup web pages world readable via http thus
> giving out all login info (including password) for the dial up
> account. It also gives a hang-up option that may allow for DoS
> attacks.
>
> Currently it is unknown if this is just one misconfigured router or
> a wide spread problem.
A reaction from a WebRamp tech:
To set the story straight, this was a misconfigured WebRamp and not a bug
in our product line. By default, the M3 is world readable/configurable with
a standard web browser right out of the box. This is so our customers can
set it up in minutes and connect it to their network and configure it
without the need for any special proprietary software; we've tried to make
this product as simple as possible for anyone to install.
If the default admin password is not changed once the product is online
with the ISP, then anyone can connect to it's WAN IP address and
reconfigure it. Common sense dictates that the first thing you change,
once it's been configured, is the default admin password. Once changed, if
you access the WAN IP, it prompts for a user name and password like any
other server one would log into.
Since the M3 family is usually configured to obtain an IP address
dynamically and it dials out on demand (i.e. it's only connected when
someone is using it) the only people who would know it's online is the ISP
or those individuals who routinely shift through a full class C IP with
their web browser.
Whether it is sensible to set the default behaviour to "world
readable" and let the administrator force it to something more secure
is questionable to say the least, the problem is at least fixable. The
password can be set from the same web interface.
Niek.
===============================================================================
Niek Jongerius - Dupaco BV | Email : niek@dupaco.nl
Tel : +31 33 494 88 88 |
Fax : +31 33 495 05 20 |
