|
|
|
|
| |
| Disney's Go Express Search operates a publicly open HTTP server on port 1234 that does not use any authentication to confirm the identities of the users connecting to it. A remote attacker can submit search queries, and view queries and personal links left by other users. It's also possible to access the configuration interface, which can reveal the e-mail address of the user who registered it (Configuration can also be changed remotely, making it possible to add, remove or alter personal links). |
| |
Credit:
The information has been provided by: Honeylocust Media Systems.
|
| |
Exploit:
If "user.dialup.isp.com" is running Express Search, you can access its Go Express HTTP server by visiting http://user.dialup.isp.com:1234/.
Workaround:
To prevent attacks, disable Go Express Search on your computer and wait for a patch from Disney.
|
|
|
|
|
|
|
|
|
|
