Hi,
On Aug 23, 2008, at 7:32 PM, Dirk Meyer wrote:
Pavel Simerda wrote:
On Sat, 23 Aug 2008 18:21:38 +0200
Dirk Meyer <[EMAIL PROTECTED]> wrote:
UPnP is a working choice, but bad. Just google for it.
I know what UPnP is.
I mean: google why it is a bad choice :) See below
Since it is based on HTTP attackers found a way to open ports on
your router.
Please be more precise, this is not a useful piece of information at
all.
OK. UPNp uses HTTP. If an attacker knows your router IP address (in
many cases 192.168.1.1) he can use your browser to open port
forwarding on your router so you expose services (windows has a lot of
services that should be closed to the outside).
An attacker with access to 192.168.1.1 is inside your network. He is
already inside with access to your services, the game is already lost.
First link I found using google:
http://www.haveyougotwoods.com/archive/2008/01/15/common-home-
router-exploit-upnp-enabled-routers-only.aspx
I'm not defending UPnP really, but this attack boils down to: you
download an application and allow said application to access your
network.
And the author is surprised that this is a security risk? UPnP
exploits should be the least of his problems.
(I don't know much about Flash, but I though it had the same same-
source security mechanisms of Javascript, and in that case the attack
described would not work)
Best regards,
--
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: [EMAIL PROTECTED]
Use XMPP!
