Archive for the ‘Uncategorized’ Category

BlueSpray Irrigation Controller /main/index.html current-season Parameter Stored XSS

October 24, 2018

BlueSpray irrigation controllers don’t require authentication to the web interface by default! Under ‘Settings’ the ‘Season’ tab via /main/index.html doesn’t sanitize the ‘current-season’ parameter allowing for a stored XSS attack. Tested firmware Version v2.1.1 (Build date: 5/22/2017, 8:27:18 PM).

The State of U.S. Politics Summed up in 10 (non-Onion) Headlines

July 31, 2018
  1. Trump administration must stop giving psychotropic drugs to migrant children without consent, judge rules
  2. Donald Trump Campaign Offered Actors $50 to Cheer for Him at Presidential Announcement
  3. Trump During Rally: “Look at My African-American Over Here”
  4. Trump Vows to Defend Non-Existent Articles to the Constitution
  5. Trump’s nicknames for rivals, from ‘Rocket Man’ to ‘Pocahontas’
  6. Donald Trump tells a space-loving 10-year-old to forget NASA — we need to fix potholes
  7. Fox News, CNN, MSNBC all broadcast Trump’s empty podium instead of Clinton’s big speech
  8. Exclusive: Trump’s 3,500 Lawsuits Unprecedented for a Presidential Nominee
  9. Porn star Stormy Daniels could recognise Trump’s genitals
  10. ‘It’s Now Season Two.’ How President Trump Turned White House Staffing Into a Cliffhanger

Emerson Network Power Devices (now Vertivco) Multiple Default Passwords

November 20, 2017

Emerson Network Power devices, now owned by Vertivco, have many devices with default credentials!

Click to access Trellis-Power-Insight-User-Guide_EN-NA_5901291501B.pdf

Database admin Administrator of the database: mtpadmin
Database admin password: admin
Database user: mtpuser
Database user password: passw0rd

Web Interface:
When the login page loads, enter Passw0rd123 in the Password field

Click to access MGP53XX%20Installer-User%20Guide.pdf

MergePoint SP5324/SP5340 appliance:
a. Log into the console port as root with the default password avocent.

MergePoint SP5300 Web Interface:
Type admin as the username and type admin as the password

Managing MergePoint SP manager user accounts
The default user account username and password are both admin.

Managing Default Users (Admin users only)
(there are a lot of them!!)

Click to access 590821501J.pdf

By default, two passwords are required to access the HMX user station via the transmitter. One password controls access to the user station, the other password controls access to
the transmitter. In both cases, the default password is password.

Click to access ASCO%205310%20Installation%20Manual.pdf

Web Interface:
The ATS Remote Annunciator login page should appear.
Enter the default Login ( admin ) and Password ( ASCO ) from the label (see page 2) and click Login.

Click to access 590667501E.pdf

Click to access 590667501d.pdf

Serial Console:
When prompted, enter the username admin with the default password pm8.

Click to access 590721501A.pdf

Click to access 590836501E.pdf

Serial console
One password controls access to the user station, the other password controls access to the transmitter. In both cases, the default password is password.

NetSure -48V DC Power System

Click to access IM582127000.pdf

NetSure 4015 30kW 400V DC Power System

Click to access NetSure-4015-IM584000300.pdf

To Enter a Password:
If a password screen opens, a password must be entered to allow the User to make adjustments. To enter a password, with the cursor at the User Name field (default is “Admin”), press the down arrow key to move cursor down to the password line. Press ENT. “0” is highlighted. Press the up arrow key once to change the “0” to ”1” (default password is “1”), then press ENT twice. (Note: If you have been assigned a unique User Name and password, follow this procedure to enter these.)

NetSure -48 VDC Power System

Click to access NetSure-211-IM582136600.pdf

If a password screen opens, a password must be entered to allow the User to make adjustments. To enter a password, use the UP and DOWN keys to move the cursor to the Enter Password field. Press ENT. Use the UP and DOWN keys to choose a character. Press ENT to accept and move to the next character. Continue this process until all characters are entered. Press ENT again to accept the password. The default password is 640275.

Click to access SL-52615.pdf

Control and configuration capabilities are protected by a username and password combination.
Optionally, status information can be password-protected. The default username is “Liebert” and the default password is also “Liebert.”

General User
Username User Viewing privileges only—no access to configuration or control functions
Password User


Click to access Liebert%20FDC%20-%20Installation%20Manual.pdf

A password is required for the first parameter configured during an editing session. After entering a valid password, you can configure multiple parameters. The default password is 0 (zero).

Click to access SmartSwitch_-_50Hz_-_Installation_Manual.pdf

A password is required to change unit settings. The default password is “Liebert.”

AXP 1410

Click to access 6806800h70d_axp_1410_iu.pdf

user name: root
password: root

Avocent OnSite Appliance

Click to access 590744501A.pdf

When the OnSite is turned on, the appliance will display the login screen for the on-screen display. Enter admin as the login name, then enter the default password cyclades to display the main menu.

Click to access 590222616M.pdf

When you first access the switch, you will be prompted through the Terminal window to enter a username.
a. Enter the username admin. By default, a password is not required.

To install the AMWorks software for the first time:
Run the AMWorks software. You will be prompted to type a password. The default password is password. To change the password, refer to the AMWorks software online help program.

Click to access 590989501A.pdf

MergePoint SP5x24/SP5x40 manager:
a. Log into the console port as root with the default password Sydney.

eWON Devices Multiple Default Credentials

November 13, 2017

While researching the eWON devices I found their manuals had plenty of default credentials!

eWON 4000

Click to access ewon4000gsuk30.pdf

Username: adm
Password: adm

eWON 2001, 2005, 2101, 4101

Click to access ewon2001_in_2_0_7_uk.pdf

Click to access ewon4101_in_1_0_3_uk.pdf

Click to access ewon2101_in_1_0_3_uk.pdf

Click to access ewon2005_in_1_0_3_uk.pdf

User Name:

eWON 500-2001-4001-4002

Click to access ewon_rg_4_3_4_uk.pdf

Login adm
Password adm

eWON 500

Click to access ewon500_ug_confgate_1_0_uk.pdf

and adm/adm as User Name/Password.

eWON eBuddy

Click to access ebuddy_ug_1_1_uk_0.pdf

(default: adm/adm)

eWON Flexy

Click to access quick_start_guide_flexy.pdf

Username: adm
Password: adm


Click to access quick_start_guide_cosy_131.pdf

The default username & password are both “adm”

eWON eFive 25 & 100

Click to access efive_quick_start_guide.pdf

At first login enter admin as the username and admin as the password.

Alcatel-Lucent OmniSwitch 6250 Switch sys_filesystem_info_si.html Multiple Parameter Stored XSS

March 1, 2016

The Alcatel-Lucent OmniSwitch 6250 Switch has a cross-site scripting (XSS) vulnerability in the /sys/content/sys_filesystem_info_si.html page (CVE-2016-78002). An authenticated user with permission to update the fields can inject arbitrary JavaScript into three fields that will be stored and displayed on /phys/content/phys_chs_info_stable.html when viewed. The fields/parameters are Contact (EmWeb_ns:mip:208.T1:O1 parameter), Name (EmWeb_ns:mip:209.T1:O2 parameter), Location (EmWeb_ns:mip:210.T1:O3 parameter) which are updated by a POST request.

The payload looks like:


Alcatel-Lucent OmniSwitch 6250 Switch Default Admin Credentials

February 28, 2016

Alcatel-Lucent OmniSwitch 6250 Switch can be managed via telnet console or HTTP via a utility they call WebView. The switch creates a default admin account for management according to the manual.

Startup Defaults
By default, a single user management account is available at the first bootup of the switch. This account
has the following user name and password:
• user name—admin
• password—switch


NOVUS SuperView New Application Default Admin Account

February 3, 2016

NOVUS Automation makes software called SuperView that “is a Supervisory Control and Data Acquisition software (SCADA) that brings to the user a visual development model to create applications. Besides communication with Modbus RTU and Modbus TCP devices, also is posible to use SuperView stations operating in Client or Server modes allowing distributed supervision of a process or system.” When creating a new application in the software a default admin account is also created:


NOVUS AirGate-3G Dual SIM Industrial Cellular VPN Router Default Admin Credentials

February 2, 2016

NOVUS Automation makes a variety of products for ICS and SCADA management. The NOVUS AirGate-3G Dual SIM Industrial Cellular VPN Router installs with a default admin account according to the manual:


LOYTEC Electronics Multiple Devices Web Interface Default Admin Credentials

February 1, 2016

LOYTEC electronics GmbH has a manuals download section on their site (requires authentication) showing the following devices have a default admin account:

  • L-DALI DALI Light Controller
  • L-INX Automation Server
  • L-GATE Universal Gateway
  • L-IP CEA-709/IP Router
  • L-VIS
  • LIOB-10x I/O Module
  • LIOB-x5x I/O Module
  • LIP-ME20X L-IP BACnet Router
  • LWEB-802
  • LWEB-803
  • LWEB-900 Building Management System


The L-Proxy CEA-709 Gateway has a different default:


BEC Technologies Multiple Devices Web Interface Default Admin Credentials

January 29, 2016

Basically every BEC Technologies device uses a web interface for device management and each one has the same default admin credentials:

Web Interface: (Username and Password)
Username: admin
Password: admin

The BiPAC 7800NL 802.11n ADSL2+ Firewall Router ships with multiple accounts:

Username: admin
Password: admin
Username: user
Password: user
Username: support
Password: support