Framed (Mis)Security Madness



  • Here's some javascript i found in the (dynamic-generated) pages, from the web-interface of a router i have....

    (And because TRWTF is this forum and i can't get the code past the WYSIWYG editor/parser without totaly fucking up i'll post it as a picture)

    WTF

    this goes on for a couple of pages. I did not test if it is posible to actualy load frames that you are not supposed to access (or is there something server-side that actually checks), but even if it isn't seems like a major WTF.

    ============[ EDIT ]=============

    And some more:

    if("dGJtMzMzMw==" == "")
     document.writeln('<input type="text" name="pppPassword" size="40" maxlength="64" onfocus="startPause()" onblur="startReload()" value="">');
    else
     document.writeln('<input type="password" name="pppPassword" size="40" maxlength="64" onfocus="startPause()" onblur="startReload()" value="">');


  • Winner of the 2016 Presidential Election

    "dGJtMzMzMw==" == base64_encode( "tbm333" )

    Definite WTF. All this logic belongs server-side, especially if the router allows remote administration. Even if it doesn't, if someone gets on your wireless network (WEP is trivial to crack), they can just view source to get the admin username, and find other interesting (probably not secured) URLs.


    On a side-rant, I'm sick of seeing <script language="javascript">. The type attribute of the script element is required. HTML really isn't that complicated; why is tag-soup so prevalent?



  •  Oh you clueless noobs. Don't you know that frames SECURELY mediate by design?



  • What brand is this router?

    Most routers have horrible web UIs, the worst is probably D-link's hardware in the silver-and-green chassis (the black-and-orange seem to have some improvements). First, they have 2 megs of ROM that have to store everything, including the OS, services and every HTML page. Well, to save space these guys decided to store every link as a highly-compressed JPEG image (instead of CSS-styled links and buttons which look nicer and need less storage!) The DHCP server's IP address assigment form is often completely broken in Firefox, but a reboot sometimes fixes this bug. Every single action needs a reboot, meaning that configuring network access, adding 3 firewall rules and 4 DHCP clients needs EIGHT REBOOTS!

    Asus routers have UIs that look horrible, with a pink background and a highly compressed JPEG logo and folder-icons stolen from Windows 95, but at least they work better than D-link's.

    The only non-WTF router interfaces I've used are openwrt and dd-wrt.



  • @zlogic said:

    What brand is this router?

     It's a beige box without any identifying marks on it, except for the logo of the provider.

    All of it's MAC addresses belong to "ASKEY COMPUTER CORP."
    And the web interface says:

    Firmware:  3.102d2
    ADSL2+ :  A2pB021g.d20h
    Wireless :  4.150.10.5

    for what it's worth
    ================================

    And here some more military-grade security right there in the JS:

    var tr69AcsUrl = 'http://rms.bezek.com/';
    var tr69cAcsPwd = '[BASE64 PASSWORD HERE]';
    var tr69cConnReqPwd = '[BASE64 PASSWORD HERE AGAIN]';
    var tr69cAcsUser = 'bezeq69';
    var tr69cConnReqUser = 'bezeq69';

    TR69 probably refers to http://en.wikipedia.org/wiki/TR-069



  • @bdew said:

    @zlogic said:

    What brand is this router?

     It's a beige box without any identifying marks on it, except for the logo of the provider.

    All of it's MAC addresses belong to "ASKEY COMPUTER CORP."
    And the web interface says:

    Firmware:  3.102d2
    ADSL2+ :  A2pB021g.d20h
    Wireless :  4.150.10.5

    I wonder if that piece of shit uses GET to submit configuration changes. As ridiculous as it sounds, a reference design by certain conpany that starts with C and ends with T, was doing that.

     



  • @zlogic said:

    Most routers have horrible web UIs, the worst is probably D-link's hardware in the silver-and-green chassis (the black-and-orange seem to have some improvements). First, they have 2 megs of ROM that have to store everything, including the OS, services and every HTML page. Well, to save space these guys decided to store every link as a highly-compressed JPEG image (instead of CSS-styled links and buttons which look nicer and need less storage!) The DHCP server's IP address assigment form is often completely broken in Firefox, but a reboot sometimes fixes this bug. Every single action needs a reboot, meaning that configuring network access, adding 3 firewall rules and 4 DHCP clients needs EIGHT REBOOTS!

    I have one of those D-Link routers. I got it cheap. After using the admin app, I can see why I got it so cheap. :-p

    The Javascript is seriously broken. They use getElementById to try to access elements for which only the name attribute is defined. Guys, it's called getElementById for a reason...

    (And because of this, the only browser it actually works with on Linux and Mac OS is Opera, because its quirks mode actually takes this particular quirk into account. Though it can be hacked into submission with Firebug on Firefox.)



  • @alegr said:

    I wonder if that piece of shit uses GET to submit configuration changes. As ridiculous as it sounds, a reference design by certain conpany that starts with C and ends with T, was doing that.

    Ahh, Cunt Corporation. Figures they'd be up to these kind of tricks.



  • @zlogic said:

    Every single action needs a reboot, meaning that configuring network access, adding 3 firewall rules and 4 DHCP clients needs EIGHT REBOOTS!

    You're lucky. My router resets everything on reboot.



  • @bdew said:

    (And because TRWTF is this forum and i can't get the code past the WYSIWYG editor/parser without totaly fucking up i'll post it as a picture)

    And yet you posted it as a JPEG, thereby totaly fucking up.


  • Discourse touched me in a no-no place

     TRWTF is that you failed to read the dates.



  • @Weng said:

     TRWTF is that you failed to read the dates.

    Aw, shucks. And here I thought I would never fall for this trick.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.