Vulnerability Note VU#930364
Linksys WRT54G routers do not properly validate user credentials
Linksys WRT54G routers do not properly validate user credentials before allowing configuration changes.
The Linksys WRTG54G is a broadband router that has an integrated wireless access point and ethernet switch. The WRT54G router's configuration settings are controlled by a web interface that uses either HTTP or HTTPS. Before viewing configuration files, an administrator needs to supply valid credentials.
The administrator's credentials are only used for viewing the device's configuration; the WRT54G does not require any credentials when making changes to configuration files. An attacker may be able to create a specially crafted web page that makes changes to the router's configuration when opened by anyone connected to the wireless or LAN ports of the router.
A remote, unauthenticated attacker could change the configuration of an affected router.
There is currently no practical solution available to this problem.
Disable remote access
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Linksys (A division of Cisco Systems)||Affected||-||21 Nov 2006|
CVSS Metrics (Learn More)
This vulnerability was publicly reported by Ginsu Rabbit.
This document was written by Ryan Giobbi.
- CVE IDs: Unknown
- Date Public: 07 Aug 2006
- Date First Published: 05 Oct 2006
- Date Last Updated: 21 Nov 2006
- Severity Metric: 1.98
- Document Revision: 51
If you have feedback, comments, or additional information about this vulnerability, please send us email.