[[:UPDATE hypoclear security advisory UPDATE:]] Update Note: Thanks to the guys on the vuln-watch list who helped with a better solution! Vendor : Linksys | http://www.linksys.com/ Product : EtherFast 4-Port Cable/DSL Router Category : Design Flaw Date : 08-02-01 Update : 08-02-01 CONTENTS 1. Overview 2. Details 3. "Exploit" 4. Possible Solution 5. Vendor Response 6. Contact 7. Disclaimer 1. Overview: The Linksys "EtherFast 4-Port Cable/DSL Router" is subject to a security flaw in its design. Passwords for the router and the users ISP account can be viewed in the HTML source code stored on the router. 2. Details: The login passwords for both the router and the users ISP are passed to the routers configuration pages. While they cannot be viewed directly in the browser window the passwords are in "cleartext" if viewed via the HTML source code. This may lead to a compromise of the router and the users ISP account. The pages in question are index.htm, which contains the users ISP logon and password, and Passwd.htm, which contains the password for the router. If combined with a "sniffer" attack the source code (with passwords) can be viewed during transmission to the administrators browser. (Note: The transmissions can only be "sniffed" within the LAN behind the router.) 3. "Exploit" There is no exploit code needed to exploit this vulnerability. The passwords are stored and transmitted in "cleartext" within the HTML source. The passwords can easily be viewed by sniffing the ethernet when an Administrator logs in and views the offending pages. Sections of offending code (code formatted for easier viewing): On index.htm: --- code cut --- User Name: