From: Stephen Hassard (steve@hassard.net)
Date: Mon May 16 2005 - 10:32:15 EDT
Hi,
Are you talking about the Cisco's administrative interface, or the
WebVPN interface? WebVPN allows users to access network resources
through a web client. While this is obviously a point of concern, ACLs
can be configured to limit access to resources for users.
I don't believe that the Cisco VPN Concentrator will lockout admin
accounts after invalid login attempts, so exposing the admin interface
would be of great concern.
later,
Steve
kaps lock wrote:
> hi all,
> i am pen-testing one of our clients and am seeing
> their web interface to the vpn concentrator (cisco)
> available publicly on the internet with the username
> /password page.
> How could i explain somebody tht it can be
> exploited...am sure this is not a good idea to hav ur
> vpn concnetrator interface on the public internet..but
> i cant find any vulenrabilites on the net ....to
> explain to the person....only thing i can think of is
> brute forcing the username pasword field...which is
> again a challenge for web vpn..any ideas??
> thanks
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:21 EDT