> -----Original Message----- > From: Matthew Caron [mailto:matt@xxxxxxxxxxxxx] > Sent: Monday, May 31, 2004 5:19 PM > To: Alan W. Rateliff, II > Cc: bugtraq@xxxxxxxxxxxxxxxxx > Subject: Re: LinkSys WRT54G administration page availble to WAN > > Isn't that the Linksys product that runs Linux and all these > folks have > been making custom firmware for? If so, can't one of those folks fix > this bug if Linksys it taking too long? Perhaps, but the points still remain that LinkSys is distributing a vulnerable product through all channels, retail stores are blowing this item out with rebates, and Joe Average User isn't going to upgrade to a custom Linux-based firmware because chances are he or she is not aware of it. Also, I have received a shit-storm of auto-replies from my original post. Hey, people, DON'T SUBSCRIBE TO A LIST USING AN ADDRESS WITH AUTO-RESPONDERS!! After wading through 30-or-so of these auto-responses, I found three valid emails. The general answer is that I had an open dialogue with LinkSys support (case #AEV-14523-534, which refers to #KNU-66355-624,) the problem was originally noted to them on 04/28/04, and because of my open dialogue with LinkSys support I did not send an email to any other address or department at LinkSys. In regards to the last part, I do now feel somewhat remiss for not having done so, however at the same time a proven security issue should be properly communicated from support to the appropriate department. That seems to not be the case, and assumption is the evil of all root. -- Alan W. Rateliff, II : RATELIFF.NET Independent Technology Consultant : alan2@xxxxxxxxxxxx (Office) 850/350-0260 : (Mobile) 850/559-0100 ------------------------------------------------------------- [System Administration][IT Consulting][Computer Sales/Repair]
