[YLUG] Router

[Paul Gibbs]

On Sunday 28 September 2008 16:13:48 Patrick Dupre wrote:
> Hello,
>
> When I make:
> wget -q -O /var/log/trendnet.log
> http://admin:@192.168.0.1/system_status.htm on my router it only gives the
> correct return if I previously log
> on the router (through http and a browser: the account is admin and
> there is not password).
>
> Some ideas ?

(Having read your other replies too)
WTF?
Is this router connected to the internet?
You have a router and the admin login is still admin, and you have no 
password!

Do you know how easy it is for a web page to automatically cause the page 
http://admin:@192.168.0.1/system_status.htm to be loaded? "No worries," you 
think; what about http://admin:@192.168.0.1/switch_off_firewall.htm? NAT is 
still pretty robust even without firewalls, but what about 
http...install_botnet_firmware.htm if it's a more popular brand.  ...or make 
one machine connected to the router the DMZ and expose all its 
vulnerabilities.

Moreover I find it had to believe that there have been 8 replies to this post 
and no-one yet has said this is a security hazard.

Are we all so autistic that we can only answer the question asked or is it 
just me that's so autistic I seem insensitive (yes I know I often am) and 
think about security too frequently. :-)

If you can change the admin login to a different name then do so, and make sure 
you use a good password and never the default password. If you can change the 
admin login you should at-least be able to add a different admin-enabled login 
name for you to use; as your browser keeps the login cookie even changing the 
admin password doesn't prevent a hacker's rouge website accessing your router 
if you've accessed it yourself as admin in the same browsing session.

If it's not as open as I fear then treat this as a little rant on what 
everyone should do with their routers.

Paul.<><