On Mon, Jul 14, 2003 at 07:45:38PM +0100, cw wrote: > Asus have been notified but haven't even acknowledged yet alone mentioned a fix. > > If the inbuilt webserver is activated, anyone on the local network > can get the full user/pass list from the router without any identification It's far worse than that, if the state in which my router was supplied is typical. As I received it, the webserver was enabled by default, *and* was accessible from the internet as well as the local network. I had to explicitly set up ip_filter rules to restrict access (the same goes for telnet access by the way). Worse, there was a bug which caused ip_filter rules not to be saved properly, so they were not restored after a reset. Fortunately this has been fixed in the last flash update (71205a32) but this same update also removes the requirement to specify a username. You now only need any one of the valid passwords to login. Asus really don't seem to have a clue. Finding out what has changed between the flash versions, either from them or from Solwise the UK distributors, is impossible. It takes a particularly special kind of incompetence to keep the passwords unencrypted and accessible via the webserver. I certainly won't be buying another of their products. The only workaround I know of is to set up ip_filter rules, which is way beyond the capabilities of most home users (truthfully, quite a number may not even have changed the default login password). I'm not aware of any way to disable the httpd completely. Anyone? Ben Wheeler
