Vigil@nce - Technicolor TC7200: information disclosure via GatewaySettings.bin
March 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use GatewaySettings.bin of Technicolor TC7200, in
order to obtain the administrator password.
Impacted products: SpeedTouch
Severity: 2/4
Creation date: 26/02/2014
DESCRIPTION OF THE VULNERABILITY
The Technicolor TC7200 product offers a web service.
The /goform/system/GatewaySettings.bin page can be used to
download the configuration with no authentication. However, the
password is stored in clear text in the downloaded file.
An attacker can therefore use GatewaySettings.bin of Technicolor
TC7200, in order to obtain the administrator password.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN