On Mon, Jul 14, 2003 at 07:45:38PM +0100, cw wrote: > Asus have been notified but haven't even acknowledged yet alone mentioned a fix. > > If the inbuilt webserver is activated, anyone on the local network > can get the full user/pass list from the router without any identification It's far worse than that, if the state in which my router was supplied is typical. As I received it, the webserver was enabled by default, *and* was accessible from the internet as well as the local network. I had to explicitly set up ip_filter rules to restrict access (the same goes for telnet access by the way). Worse, there was a bug which caused ip_filter rules not to be saved properly, so they were not restored after a reset. Fortunately this has been fixed in the last flash update (71205a32) but this same update also removes the requirement to specify a username. You now only need any one of the valid passwords to login. Asus really don't seem to have a clue. Finding out what has changed between the flash versions, either from them or from Solwise the UK distributors, is impossible. It takes a particularly special kind of incompetence to keep the passwords unencrypted and accessible via the webserver. I certainly won't be buying another of their products. The only workaround I know of is to set up ip_filter rules, which is way beyond the capabilities of most home users (truthfully, quite a number may not even have changed the default login password). I'm not aware of any way to disable the httpd completely. Anyone? Ben Wheeler
This archive was generated by hypermail 2b30 : Tue Jul 15 2003 - 13:46:17 PDT