Full title: Osprey Pump Controller 1.0.1 Administrator Backdoor Access Vulnerability 
Category: web applications
Platform: php
Osprey Pump Controller version 1.0.1 has a hidden administrative account admin that has the hardcoded password Mirage1234 that allows full access to the web management interface configuration. The user admin is not visible in Usernames and Passwords menu list (120) of the application and the password cannot be changed through any normal operation of the device. The backdoor lies in the /home/pi/Mirage/Mirage_ValidateSessionCode.x ELF binary.

# 0day.today @ http://0day.today/