IBC Solar – Multiple Vulnerabilities

I caught a few IBC Solar ServeMaster TLP+ installations off the Danfoss Shodan search and it seems to have the same vulnerabilities plus a few. They use the same underlying server and same layout for the web pages so I think it is just different branding? You can login with the defaults of admin / admin.

Login screen:

ibcsolar01

Under Setup -> Communication -> SMTP setup (/cgi-bin/setup_comm_smtp.tcl), the credentials of a mail server are stored in plain text. If the default admin login is not changed then an attacker can gain credentials of another server:

ibcsolar02

The request is made over HTTP via the GET method, not SSL:

ibcsolar03

The response is in the clear as seen in a proxy:

ibcsolar04

Under Setup -> Communication -> Portal upload (/cgi-bin/setup_comm_dw.tcl), the credentials of the FTP server are stored in plain text too:

ibcsolar05

Under Setup -> Communication -> GSM Modem (/cgi-bin/setup_comm_gprs.tcl), the credentials of the FTP server are stored in plain text too:

ibcsolar06

Advertisements

Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: