[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Vulnerabilities in Transcend Wi-Fi SD Card

On 03/26/2017 04:43 PM, MustLive wrote:
> Brute Force (WASC-11):
> There is no protection against BF attacks in admin panel,
> because Basic Authentication is used. It is unlikely that the owner will
> change login and password for admin panel. But if will change, then they
> can be picked up.

This conflates two issues, and anyhow, Basic Authentication is not a
problem (Digest won't be any more secure than Basic, if SSL is used...
is it present?).

> Cross-Site Request Forgery (WASC-09):
> There are CSRF vulnerabilities in admin panel. Such as this one: in login
> process there is no captcha, so besides lack of protection against BF, also
> CSRF attack can be made. It's possible to remotely enter into admin panel
> (with default login and password) for conducting further CSRF attacks.

CAPTCHA has nothing to do with CSRF. Neither do default credentials.

Joey Kelly
Minister of the Gospel and Linux Consultant

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/