keywords: ip pbx voip gateway gsm gateway



The forum is in read only mode.
× Questions about how to buy OpenVox product and other business infomation.

http to sms vulnerability

7 years 1 month ago - 7 years 1 month ago #11529 by zveruga
Some undefined hacker send many-many SMS via my router (until money on account is gone). I deep read a configs and found a vulnerability in HTTP to SMS module.
Even if module HTTP to SMS is turn off in web-interface a gateway allow to send SMS from URL:
If I change a default login and password - everything is ok, gateway answered "Authentication Failed: Need valid username and password"
No matter - turn on or turn off a module.
BTW: lighttpd not check auth if request equal "service" and query string is "action=sendsms"
so hacker not need to know my login and password to web interface for sending SMS.
$HTTP["url"] =~ "^/service" {
    $HTTP["querystring"] !~ "^action=sendsms" {
        auth.require = (
            "/" =>(
            "method" => "digest",
            "realm" => "Openvox-Wireless-Gateway",
            "require" => "valid-user"
Version of my gateway in attachment
7 years 1 month ago #11532 by

Sorry for the trouble.We will fix it ASAP in new firmware.And give you the new firmware ASAP.

Please change the default username and password at first for security.

Sorry for the trouble once again.
Time to create page: 0.032 seconds
Powered by Kunena Forum