#18177: 6in4.sh HE.net dynamic endpoint update transmits password in the clear
------------------------+-----------------------------------
Reporter: askalski@… | Owner: developers
Type: defect | Status: new
Priority: normal | Milestone: Barrier Breaker 14.07
Component: packages | Version: Trunk
Keywords: security |
------------------------+-----------------------------------
package/network/ipv6/6in4/files/6in4.sh uses plain HTTP instead of HTTPS
when hitting the HE.net tunnel update API. This causes the tunnel API
username+password to be sent in the clear. These credentials would allow
an attacker to hijack the user's tunnel.
The attached patch switches the hard-coded URL over to https.
--
Ticket URL: <https://dev.openwrt.org/ticket/18177>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
