MyPBX Default Credentials & Cleartext Transmission

MyPBX by Yeastar (Shodan search) has default credentials and they are transmitted via GET request over HTTP. Since the credentials are in GET parameters the URL may appear in system logs too:

GET /rawman?action=login&username=admin&secret=password HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Host: 192.168.5.150
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.150/static/config/home.html
Proxy-Connection: Keep-Alive
X-Requested-With: XMLHttpRequest
Accept: */*

From the user manual:

From your web browser, input the IP address of the MyPBX server.
If this is the first time you are configuring MyPBX, please use the default
settings below:
IP Address: http://192.168.5.150
Username: admin
Password: password

Advertisements

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: