On May 23, 2013 xistence posted an advisory to Packetstorm warning of two shell accounts on CAREL pCOWeb devices that had blank passwords. In addition to that, there are four accounts for different services with default passwords as well. According to the manual for pCOWeb:
ACCESSING THE USER MEMORY VIA FTP PROCEDURE
Figure 4.c – SmartFTP™: creating a new “Remote Browser”
1. Download, install and run SmartFTP™ on the PC.
2. Create a new “Remote Browser” and enter the data as shown in the Figure 4.c below.
NOTE The IP address should be replaced with the address of the pCOWeb; the default Username and Password are: httpadmin / fhttpadmin; paragraph 9.7.2 on page 50 describes how to change this
information, and paragraph 9.3 on page 43 shows how to read the current information.
The following examples assume that the current data being used are httpadmin / fhttpadmin and the IP address is 10.0.0.145.
Whenever the configuration of the Logger is changed during the day, pCOWeb retains the values saved until that moment but updates the first three lines of the header (see Figure 5.f – left); if the selection of the logged variables is changed and the records saved until that moment need to be retained, proceed as follows:
1. before changing the configuration, save the data to the PC by first selecting Update cvs file and graph, then Download all the cvs and graphs;
2. disable all the variables currently selected for logging;
3. manually delete the file “history_diskbuffer” in the /usr/local/root/flash/http/cache directory by accessing the pCOWeb via FTP, with the “root” Username / Password (default “froot”); make sure not to modify other files / directories in this phase, as the “root” Username, in opposition to the case of “httpadmin”, has no restrictions;
4. reboot pCOWeb;
5. then restart the Logger, selecting the new variables for logging.
9.2.1 Authentication dialogue box for accessing the Administrator area
Following the previous points, an authentication dialogue box is displayed on the PC screen (Figure 9.a on page 40); complete the fields with the access information,
then select OK.
The default settings are:
Username: admin Password: fadmin
View factory bootswitch parameters: shows a summary of the factory settings that pCOWeb will use if rebooted with the button pressed (see 3.1.2 on page 12);
– DEFIP / DEFNETM: IP address / subnet mask;
– PROOT / PHTTP / PCAREL / PGUEST: password respectively for the “root” / “httpadmin” / “carel” / “guest” Usernames in the operating system running on pCOWeb (see 9.7.2 on page 50).