hi, i found out that the netgear FM114P wireless router has a directory-traversal like bug in the web-configuration interface. documents/files can be accessed without authentication by using escaped directory traversal from the accessible /upnp/service directory. this results f.ex. in the ability to grab configuration file without authentication on the router (remotely possible when remote configuration is enabled) by using the following url: http://ip-or-hostname:port/upnp/service/%2e%2e%2fnetgear.cfg this config file contains dialup-password, dynamic dns-configuration password and the main router configuration options. the router-password and wep-keys are NOT included in this configuration file. as far as i can say from my tests, there is no possibility to submit data to forms on the router web-interface. (if so, it would be possible to reset password or access wep-keys). the bug affects current router firmware v1.4 Beta Release 17 others have not been tested by myself. the netgear support has been informed. to avoid the possibility for others to grab your config-file, simply disable the remote management of the router (if enabled anyway). disabling the upnp option of the router software does not affect the behaviour. regards, b.stickler http://intex.ath.cx
This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 06:18:44 PST