found a way to recover the SIP password
This commit is contained in:
Conor Horan-Kates
parent
aeb3c02989
commit
70cc2c099e
@ -36,3 +36,13 @@ name | description
|
|||||||
* SIP password is not included in exported config.xml
|
* SIP password is not included in exported config.xml
|
||||||
|
|
||||||
the same functionality, in a different interface is now available on the dialer as well as via HTTP. interestingly, many features/settings are exposed on the dialer, while all access over HTTP must be authenticated
|
the same functionality, in a different interface is now available on the dialer as well as via HTTP. interestingly, many features/settings are exposed on the dialer, while all access over HTTP must be authenticated
|
||||||
|
|
||||||
|
## further research
|
||||||
|
|
||||||
|
### SIP password exposed
|
||||||
|
|
||||||
|
the SIP password is notably absent from configuration exports, and masked in the browser, but there are 2 avenues to recovering it anyway:
|
||||||
|
* once the PIN is known, viewing 'Options'->'SIP settings' from the physical device exposes the plaintext password
|
||||||
|
* the PIN is masked in the web interface, but only because the <input type='password'>, and since the traffic is running over HTTP, sniffing web traffic while the page is loaded exposes the plaintext password
|
||||||
|
|
||||||
|
in a twist on the second issue mentioned above, if any other changes are made on the 'SIP Settings' page (like the display name), when 'Submit' is clicked, your browser will prompt you to save the password. standard saved password recovery tools will expose the plaintext password too
|
||||||
Loading…
Reference in New Issue
Block a user