MyPBX Default Credentials & Cleartext Transmission

MyPBX by Yeastar (Shodan search) has default credentials and they are transmitted via GET request over HTTP. Since the credentials are in GET parameters the URL may appear in system logs too:

GET /rawman?action=login&username=admin&secret=password HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
X-Requested-With: XMLHttpRequest
Accept: */*

From the user manual:

From your web browser, input the IP address of the MyPBX server.
If this is the first time you are configuring MyPBX, please use the default
settings below:
IP Address:
Username: admin
Password: password


Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: