[ previous ] [ next ] [ threads ]
 From:  "Rob Whyte" <rob at g dash labs dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  status.cgi security issue
 Date:  Wed, 1 Oct 2003 21:39:59 -0700
I noticed today that included in the status.cgi page is the xml
configuration file (config.xml) which shows the passwords for login and pptp
clients in PLAIN TEXT. There is no password required to get to this page,
and is viewable by anyone inside the firewall.

I mounted the mfsroot and sym linked '/usr/local/www/cgi-bin/.htpasswd ->
/var/run/htpasswd' after I read that .htpasswd doesn't traverse directories.

Hope this info helps!!