BugTraq
Buffalo LinkStation LS-WTGL Default Admin Account & Guest Access Information Dec 05 2012 02:37AM
Darius Freamon (darius freamon gmail com)
After reading l0rd lunatic's post about the Buffalo router
(http://seclists.org/fulldisclosure/2012/Nov/234), noticed that going
to login page and clicking 'help' will show you the default admin
account. I think that is what he meant about information disclosure!
It also lets you login as guest and provides more information.

Clicking help:

http://ROUTER/help/en/auth.html?gDummy=1354674691647&_=

HTTP/1.1 200 OK
Date: Wed, 05 Dec 2012 02:45:08 GMT
Server: Apache/1.3.34 (Unix)
Last-Modified: Fri, 11 Jul 2008 12:13:45 GMT
ETag: "140d1e9-14b-48774e79"
Accept-Ranges: bytes
Content-Length: 331
Content-Type: text/html; charset=UTF-8

<div id="divHelpItem" class="doc" >
<div id="divDocumentTitle">Login</div>
<div id="divDocumentText" class="doc_text">
Until you change it, the default username is "admin" and the default
password is "password".<br />
To login as Guest, please enter "guest" as user name and no password
and then press enter.
</div>
</div>

When you login as guest, it gives up this information:

http://ROUTER/cgi-bin/top.cgi

LinkStation Name CB-NAS-001
Model Name LS-WTGL/R1-V3 F/W 3.09
IP Address 127.0.0.1
Current Date and Time 2012/12/4 19:38:38
HDD Space Used RAID Array 1 322.32 GB / 500.76 GB (64.36 %)

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus