mailing list archives
Re: CORE-20021005: Vulnerability Report For Li
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 12 Dec 2002 10:37:02 +1300
AARG! Anonymous <remailer () aarg net> wrote:
At 08:10 PM 12/10/02 -0300, CORE Advisories wrote:
Many Linksys' network appliances have a remote administration and
configuration interface via HTTP, either from the local network,
or, if it's enabled, from any host across the internet.
I just want to make sure I've got this right:
It comes with secure defaults.
But if I decide to open it up, it's not secure any more.
Gee, I wonder what other products could be configured into an
insecure state and boilerplated into an advisory?
And would iDefense pay me for them?
I don't see why not.
It seems iDefense staff have very short memories and cannot even run
Google searches of obvious terms from the advisories they are
apparently so eager to buy. For example, their recent Eudora
advisory was obviously a trivial rehash (either unintentional or
otherwise I'll leave to others to decide) of one from much earlier
this year, as acknowledged in an updated advisory posted the next
day. But the updated advisory did not go further and point out that
in fact, both are really only minor updates to a series of advisories
dating back at least two years, and possibly longer (I got tired of
Googling after finding essentially similar advisories from early 2000
but am fairly sure I recall discussion of similar issues related to
the predicability of the (default) Eudora "detach" directory name
from early 1999 if not even earlier).
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure - We believe in it.