Fedora Security and the Uverse 3800HGV-B router
Marko Vojinovic
vvmarko at gmail.com
Sat Jul 2 17:21:37 UTC 2011
On Saturday 02 July 2011 17:10:33 JD wrote:
> On 07/02/2011 08:12 AM, Brendan Jones wrote:
> > On 07/02/2011 01:45 PM, JD wrote:
> >> So how is the router doing it?
> >> This is a very disconcerting security hole and I have not been
> >> able to nail it down to any daemon running on my Fedora.
> >
> > Isn't the page just redirecting to file://<ip>/ ?
> >
> > You can do the same by typing that into the address bar your browser.
> > If your local ip is<ip> (which is the same as file:/// ) you will be
> > able to traverse your root, but no other IP can.
>
> I tried it. The browser cannot browse to my ip address
> for the simple reason I do not have apache httpd running.
> Read my subsequent posts on this.
You do not need an apache server to see your own files from the browser. I just
typed
file://127.0.0.1/
into firefox and the files in the root directory appeared no problem. A web
browser is supposed to be able to access your files, in the same way you are
able to do it from the shell prompt.
Can your router display the files of some other computer connected to it? Or
did you try that just with the one you were sitting at?
Have you tried browsing through some user's home directory (other than your
own)? Could you read any of those files?
I don't think there is any security hole there, it's just your own browser
playing tricks on you. Care to provide the html source code for the router's
page that has a link to view the files? The source should tell us how it's
being done.
HTH, :-)
Marko
More information about the users
mailing list