Routers OEM’d from AMIT have a security flaw that allows the admin page password to be viewed. Details follow:
Requirements:
Internet Explorer 5.0 or above
Access to the History folder on the computer that IE is run from
How to View:
Log into the router, and hold the cursor over the URL in the history file that starts with “logi?RC=”. The “tooltip” data contains the login password right after “&URL=”. (See the screen shot below)
NOTES:
– The password could not be viewed via the Netscape 4.7 History, or by viewing files in the browser cache.
– Any AMIT-based router that has a framed interface and that uses a web page form field for password entry will have the problem. The problem has been confirmed on the following products:
SMC7004AWBR wireless
SMC7008
DLink DI-713P
– It’s been confirmed that an SMC7004ABR (non AMIT) and Linksys BEFSR41 DO NOT have the problem. (They use pop-up NT style login challenge boxes for login).
Work-Around:
Clearing the IE History (Internet Options Control Panel > General Tab) after a router Admin session removes the password information.
