| VID |
29028 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The 3Com RAS 1500 router allows remote attackers to access configuration files.
3Com SuperStack II Remote Access System (RAS) 1500 requires HTTP basic authorization only for download.htm file, which is download manager for configuration files and system software. Unfortunately system images and configuration files are not protected by HTTP authorization. Unauthorized user can read configuration and system files, using web interface on RAS 1500.
Specifically, its user configuration file, user_settings.cfg contains the password (in clear text) of this device.
* References:
http://www.securityfocus.com/archive/1/316043
http://isec.pl/vulnerabilities/isec-0009-3com-ras.txt
http://www.3com/ras1500
* Platforms Affected:
3com SuperStack II RAS 1500
Firmware X2.0.10 |
| Recommendation |
No remedy available as of June 2014. Filter incoming traffic to this device from untrusted networks. |
| Related URL |
(CVE) |
| Related URL |
7176 (SecurityFocus) |
| Related URL |
(ISS) |
|
