I found the same issue and more (even a DoS) in the Canon web UI: https://www.mattandreko.com/2013/06/18/canon-y-u-no-security/
Unfortunately, Canon's response seems less than impressive. They apparently don't really care as long as the product sells. Their response is pretty much, "Nobody would be stupid enough to put it on a public IP", yet there are hundreds on ShodanHQ. I saw some for big universities' libraries. Imagine the fun a bad-guy could have DoS'ing the printer during finals-week. I was trying to reverse the firmware, to find more bugs, but didn't have a lot of luck, as that's not really my thing. However, I'm guessing someone that does it regularly could have a hay-day. On Fri, Mar 28, 2014 at 5:20 PM, Taylor Hornby <[email protected]> wrote: > Affects: Canon PIXMA MX722 Printer (and probably other Canon printers). > > After typing my WPA2 WiFi password into the printer (through the > built-in hardware keypad), it exposes the cleartext password to the LAN > through an admin page that isn't password protected: > > https://twitter.com/DefuseSec/status/419910112442982401/photo/1 > > You can enable password protection of that page, but: > > 1) There is no password protection by default. It silently exposes your > password, and you'll never know unless you go looking for it. > > 2) There's no need to embed the actual password in the HTML form anyway. > They could have used placeholder text instead of the real password. > > Regards, > -- > Taylor Hornby > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
