Pierluigi Paganini
July 25, 2018
These Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected.
Analyzing the code of the page the expert has noticed a function named “clickApply” that included the password in standard base 64 coding.
function clickApply(sel)
{
var user_passwd="YWRtaW4=";
var super_passwd="(null)";
document.forms[0].http_passwd.value = encode(document.forms[0].tmp_http_passwd.value);
The expert reported the issue to the vendor that quickly acknowledged it and responded that they have discontinued the product. The vendor added that a working patch is already available.
The expert published the exploit code on exploit-db.
“Many IoT vendors are not doing the basics right as keeping the password in the HTML source, it is a very basic security issue” concluded Anubhav
“and it is a relevant issue as users in Korea are using it”
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Davolink, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
Data Breach / November 21, 2024
