Password bug with The Dude maps v6 (we can read XML)

nikola033 · Thu Jan 11, 2018 5:52 pm

Hi everyone,

On The Dude maps version 6, when copying element from the map into Notepad, we get xml, and we can read all data related to that element and also password.

Does anyone have this problem?

eriitguy · Thu Jan 11, 2018 6:23 pm

Hello, nikola033!

It seems that we have similar situation:

Dude-v6-Device-xml.png

Thank you!

nikola033 · Sun Jan 14, 2018 3:19 pm

Hi eriitguy,

I am pleased to you have joined on this topic, and that I helped you with this information.

ps. Sorry for my English

nikola033 · Mon Jan 15, 2018 8:04 pm

Also, if you do not have a winbox file on your computer, but winbox tool is runned on some device, you can also see the user / pass.

HaQs · Tue Jan 16, 2018 12:14 pm

MT know this

very long.
And nothind do with this.

nikola033 · Wed Jun 06, 2018 6:20 pm

Hi,

Do you have new information for us?
update 6.43rc23 did not fix the problem.

Thanks a lot
Best regards
Nikola

jdtins · Tue Jun 19, 2018 7:16 pm

This would be a great thing to fix. We had a penetration tester use this as a way to gain access to our routers. It has caused management to consider ripping out Mikrotik in favor of something we can manage in a secure manner.

Any response would be appreciated!

Thanks,

Jonathan

nikc · Tue Jun 19, 2018 7:42 pm

This would be a great thing to fix. We had a penetration tester use this as a way to gain access to our routers. It has caused management to consider ripping out Mikrotik in favor of something we can manage in a secure manner.

Any response would be appreciated!

Thanks,

Jonathan

Surely changing the management tool would be a far less drastic approach ?

That said ... it needs fixing !

tibobo · Wed Jul 04, 2018 4:27 pm

Guys, let's be reasonnable.

I can create my own tools and use [Device.Password] which is nice since I do not have to type it the whole day long.

Event if MT guys were to cypher the password in the DB and in the XML and wherever you can see it, what will prevent me from creating this tool :
cmd /c "echo [Device.Password] && pause"
Or any other tool where I show/store the password ?

So what's the point ?

Chupaka · Wed Jul 04, 2018 6:55 pm

what will prevent me from creating this tool :
cmd /c "echo [Device.Password] && pause"

Huh... Readonly rights?

Thu Jul 05, 2018 7:36 am

Not about the initial question, but ... why would you save passwords on a machine you don't trust? Encrypt your disk and use a strong login password for the user of this device.

Thu Jul 05, 2018 9:46 am

Normis ... you answer resembles me the quotation of Polish Nobel's prize receiver: "If you have fever do shutter a thermometer."

tibobo · Thu Jul 12, 2018 2:34 pm

what will prevent me from creating this tool :
cmd /c "echo [Device.Password] && pause"
Huh... Readonly rights?

OK, agreed

Password bug with The Dude maps v6 (we can read XML)

Password bug with The Dude maps v6 (we can read XML)

Re: Password bug with The Dude maps v6 (we can read XML)

Re: Password bug with The Dude maps v6 (we can read XML)

Re: Password bug with The Dude maps v6 (we can read XML)

Re: Password bug with The Dude maps v6 (we can read XML)

Re: Password bug with The Dude maps v6 (we can read XML)

Re: Password bug with The Dude maps v6 (we can read XML)

Re: Password bug with The Dude maps v6 (we can read XML)

Re: Password bug with The Dude maps v6 (we can read XML)

Re: Password bug with The Dude maps v6 (we can read XML)

Re: Password bug with The Dude maps v6 (we can read XML)

Re: Password bug with The Dude maps v6 (we can read XML)

Re: Password bug with The Dude maps v6 (we can read XML)

Who is online