Security Flaw in firmware v1.00.9 for WRT54G v5

Discussion in 'Linksys Official Firmware' started by simax, Sep 7, 2006.

  1. simax

    simax Network Guru Member

    Please tell me I am wrong.

    I tried to see if there was a "secret" (hidden, not-documented) DHCP reservation page in my WRT54G v5. I am running current latest, official Linksys firmware v1.00.9.

    So I pointed my browser to:


    First, I was surprised to get a clear text webpage (after authenticating) that provides this:

    name="router_name" size="20" value='my_actual_router_name_was_here'
    value="wpa_personal" selected>
    size=32 name=wl_wpa_psk value='my_actual_wpa_key_was_here' maxlength=64>
    value="mixed" selected>

    Uhm. Ok. Well, not a major security flaw considering that one has to authenticate in order to get it.


    I purposedly went to other browser (Safari, originally, but it works with Firefox in Linux and MacOS X, and Camino too) and went to the main URL: (or whatever)

    The authentication window comes up.

    Typed "admin" for the username field.
    Typed a really long password for the password field (like more than 256 characters).

    The router reboots instantly, killing Internet, Ethernet and Wireless connectivity.

    I contacted Linksys (live chat) and they did not seem to be interested at all. Did anyone know this? Can someone else try it?

    Imagine if you have remote webadmin enabled. Not cool.
    One more reason (like there were few) to move to OpenWRT/DD-WRT.

  2. simax

    simax Network Guru Member

    Confirmed on IE

    I just tried from a Windows box (XP) running IE and it also rebooted the router.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice