Date: Mon, 28 Sep 1998 22:43:11 -0700
From: Steven Hearon <r700ss@YAHOO.COM.>
To: [email protected]Subject: Bay Accelar 1000 series
I dont know if this has been posted if so ignore it please.
For those of you lucky people to have a Bay Accelar 1000 series
here is something you might find interesting..
If one enables the HTTP server (Configuration Interface) on the Bay
Accelar 1000 series (I do not know if this is true on other
Accelars..I have only used Accelar 1200's) anyone can attach to the
main page of the Accelar without a password. Not only this, but one
can surf around a bit before being asked a password as well. The best
part of this is that when one tries to login and fails the system logs
do not show it!!! (Atleast a log show doesn't). Now since Bay likes
to use rw, rwo, and rwa one could use a brute hacker (wwwhack, etc) to
attempt access. Unlike other Bay products there is no option to only
allow certain subnets access to the HTTP server (Atleast none that I
could find, or multiple Bay Reps I talked too knew of). Last time I
talked to a Bay Rep I was told that it was an issue that was being
"looked into", so an easy solution is, do not enable the HTTP server
on your Accelar 1000 series. The damage that could be done is great
(Turning off ports, redoing VLANs, etc).
_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com