> This Seems to be a new problem (if it has been reported > I have never seen it) > > The Product : > > Webramp M3 > from Ramp Networks, Inc > > The Problem > > I have encountered one of these routers logged into a Dial-up > account. It has the setup web pages world readable via http thus > giving out all login info (including password) for the dial up > account. It also gives a hang-up option that may allow for DoS > attacks. > > Currently it is unknown if this is just one misconfigured router or > a wide spread problem. A reaction from a WebRamp tech: To set the story straight, this was a misconfigured WebRamp and not a bug in our product line. By default, the M3 is world readable/configurable with a standard web browser right out of the box. This is so our customers can set it up in minutes and connect it to their network and configure it without the need for any special proprietary software; we've tried to make this product as simple as possible for anyone to install. If the default admin password is not changed once the product is online with the ISP, then anyone can connect to it's WAN IP address and reconfigure it. Common sense dictates that the first thing you change, once it's been configured, is the default admin password. Once changed, if you access the WAN IP, it prompts for a user name and password like any other server one would log into. Since the M3 family is usually configured to obtain an IP address dynamically and it dials out on demand (i.e. it's only connected when someone is using it) the only people who would know it's online is the ISP or those individuals who routinely shift through a full class C IP with their web browser. Whether it is sensible to set the default behaviour to "world readable" and let the administrator force it to something more secure is questionable to say the least, the problem is at least fixable. The password can be set from the same web interface. Niek. =============================================================================== Niek Jongerius - Dupaco BV | Email : niekat_private Tel : +31 33 494 88 88 | Fax : +31 33 495 05 20 |
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:50:14 PDT