Re: Webramp M3 login info

From: Niek Jongerius (niekat_private)
Date: Tue Apr 21 1998 - 08:22:48 PDT

Next message: Carl Dunham (Remove xx_ before replying): "Re: APC UPS PowerChute PLUS exploit..."

Previous message: David LeBlanc: "Re: NT configuration caution"
Maybe in reply to: the_coyoteat_private: "Webramp M3 login info"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> This Seems to be a new problem (if it has been reported
> I have never seen it)
>
> The Product :
>
> Webramp M3
> from Ramp Networks, Inc
>
> The Problem
>
>   I have encountered one of these routers logged into a Dial-up
> account. It has the setup web pages world readable via http thus
> giving out all login info (including password) for the dial up
> account. It also gives a hang-up option that may allow for DoS
> attacks.
>
>   Currently it is unknown if this is just  one misconfigured router or
>   a wide spread problem.

A reaction from a WebRamp tech:

  To set the story straight, this was a misconfigured WebRamp and not a bug
  in our product line. By default, the M3 is world readable/configurable with
  a standard web browser right out of the box.  This is so our customers can
  set it up in minutes and connect it to their network and configure it
  without the need for any special proprietary software; we've tried to make
  this product as simple as possible for anyone to install.

  If the default admin password is not changed once the product is online
  with the ISP, then anyone can connect to it's WAN IP address and
  reconfigure it.  Common sense dictates that the first thing you change,
  once it's been configured, is the default admin password.  Once changed, if
  you access the WAN IP, it prompts for a user name and password like any
  other server one would log into.

  Since the M3 family is usually configured to obtain an IP address
  dynamically and it dials out on demand (i.e. it's only connected when
  someone is using it) the only people who would know it's online is the ISP
  or those individuals who routinely shift through a full class C IP with
  their web browser.

Whether it is sensible to set the default behaviour to "world
readable" and let the administrator force it to something more secure
is questionable to say the least, the problem is at least fixable. The
password can be set from the same web interface.

Niek.

===============================================================================
Niek Jongerius - Dupaco BV             |  Email : niekat_private
Tel : +31 33 494 88 88                 |
Fax : +31 33 495 05 20                 |

Next message: Carl Dunham (Remove xx_ before replying): "Re: APC UPS PowerChute PLUS exploit..."
Previous message: David LeBlanc: "Re: NT configuration caution"
Maybe in reply to: the_coyoteat_private: "Webramp M3 login info"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:50:14 PDT