You can use the web interface to make changes to almost all MFPs without authentication or minimal credentials HP and Canon are the worst in that regard. Scan to e-mail accounts are usually set up with a default user name and password for the mfp to authenticate with. Most companys will use and admin account to do this with. So getting one username and password gets you a lot. Oh yea, HP has no authentication on the web browser either so it is pretty easy to get at the information unless you block port 80, if the device allows you to do so. Have fun. -------------------------------------------------- From: "k41zen" <[email protected]> Sent: Tuesday, November 03, 2009 6:55 AM To: "PaulDotCom Security Weekly Mailing List" <[email protected]> Subject: [Pauldotcom] HP9000 multifunction devices hooked into AD
> So a client has purchased several HP9040 multifunction devices (MFP) to > allow them to use the scanning feature so that they can scan a doc and > have it email the result to them. > > From the limited documentation provided, several areas of interest jump > out such as: > > Securely stores usernames and email addresses with an LDAP sync from AD > Authenticates the user to AD at the printer panel > Scan a document and have it automatically emailed to you > Scan a document and have it automatically saved to your home drive > > I get to play with this later this week but wondered if someone has > already looked into what fun can be had with these devices. > > Grateful for any info. > > Regards, > > k41zen > > > > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
