|
|
|
|
|
|
by zwp
2223 days ago
|
|
|
Query params often end in stuff like web server (WAF, load-balancer, reverse proxy, ...) access logs and they might get accidentally exposed. They shouldn't get exposed of course, but they do. [EDIT: redacted an example of some random dude's access log] If you search for "password" in there you will likely see a new Mirai bot variant [1] bouncing credentials off the server looking for weblogin.cgi on vulnerable Zyxel devices. I imagine PA highlit this detail in their post ("weblogin.cgi accepts both HTTP GET and POST") exactly to ensure sure defenders don't restrict themselves to blocking or investigating only the more normal POST mechanism. [1] https://unit42.paloaltonetworks.com/new-mirai-variant-mukash... |
|
|