But should others have access to this information? That's the point of my
message.

Just as a router does not display who it provides access to, neither should
their modem.

-ks

-----Original Message-----
From: Emre Yildirim [mailto:emresrengineering.com]
Sent: Wednesday, February 21, 2001 4:10 PM
To: BUGTRAQSECURITYFOCUS.COM
Cc: access9BIGFOOT.COM
Subject: Re: Security flaw in Telocity's "Gateway Modem"

On Tuesday 20 February 2001 18:29 US Central Time, Kras Hish wrote:
> Telocity provides DSL to their customers through what they call the
> Telocity "Gateway Modem".
> In the modems, you can connect to them through your web browser to view
> usage statistics, your assigned IP, the DHCP server IP (Modems IP),
> Management's IP (Modem's IP, different than the previous), DNS IP, and the
> hardware software version information.
>
> In the older model modem, it is possible to remotely view the "Details"
> section of the modem, thus reveling all the above mentioned information to
> a possible intruder. Telocity has numbered their gateways in sequential
> order, so it would be possible to write a script that would search for
> http://123.123.123.1/stats in a range of addresses. Of course is the ever
> interesting URL http://123.123.123.1/admin which prompts you for a
> username/password combo to access what? (any information on this would be
> great)

How is this a "security flaw"? It displays your connection's status as well
as hardware information of your DSL modem. This is really useful,
especially
if you run a server off your Telocity DSL line. It let's you check on your
connection remotely, so you can check status of your DSL from anywhere. I
think this is a feature, rather than a bug.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]