dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
 ·Comcast
1 edit | Windows Explorer bypasses router password Posted this in Linksys forum »[Security] Windows Explorer bypasses password
Edit:XP SP2
BEFSR41 V3 Firmware Version: 1.05.00
But I feel this forum to be more appropriate.
I noticed lately when I type 192.168.1.1 in Windows Explorer it takes me to my router settings page but if I use Internet Explorer it prompts me for password. I don't think it was like that on my 98SE box?
I can change all settings including password even after clearing cache and running CCleaner. I don't use AutoComplete so passwords,urls,etc are not stored on this machine.
How can I disable this from happening?
I am unable to do this on an XP Home laptop that is connected to this router?
--
Prevent Malware | |
|
 |
 |
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| Re: Windows Explorer bypasses router password
No passwords saved on this machine. |
--
Prevent Malware | |
|
|
|
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| Re: Windows Explorer bypasses router password said by jack b  :I can confirm this, it is happening here, too. In fact, if I open IE(6) and paste in 192.168.0.1 (d-link) the password dialog box pops up pre-filled in, and selecting OK brings me to the web admin application. I know I NEVER selected SAVE for this logon page. And from an explorer window, if I paste in the address, it just goes directly right to the first page in the router menu, no userID and password prompt at all! A feature? This is not good! We need to disable this feature. It must be XP SP2(me) and XP Pro(you) because I can't duplicate it on older machines
--
Prevent Malware | |
|
altermatt
Premium
join:2004-01-22
White Plains, NY
 ·Verizon Online DSL
| SMC Barricade, typing my router addy, 192.168.2.1, in Windows Explorer (XP) still gives me a password prompt, just as it does in IE. (Note: for me, 192.168.1.1. is my DSL modem, not my router).
--
The truth of a thing is the feel of it, not the think of it. -- Stanley Kubrick | |
|
|
niccolus
Niccolus Leader Of Midgets
Premium
join:2003-10-22
Long Beach, CA
| Question: You guys that are experiencing it. Do you have multiple accounts on your PC's or has your PC been used by anyone who may have needed access to the router because another account could have saved the password and since it is not associated with their specific profile it could actually just be filling in. | |
|
| hurfy
Premium
join:2002-08-06
Spokane, WA
| Re: Windows Explorer bypasses router password Couldn't do it on xp pro and a sonicwall. Maybe it is d-link?
Put in password closed explorer and tried again. Got the same login screen. Never asked about saving it nor did it.
Does one or the other method append a slash or something that d-link interpets diferently perhaps?
Autocomplete for the address in explorer now recognizes 3 posibilities (after typing in just 10.0.0.254):
h ttp://10.0.0.254
h ttp://10.0.0.254/main.html
h ttp://10.0.0.254/maintain.html
(done on computer that has never had a url typed in explorer nor ever gone to our sonicwall)
Oh well i tried 
xp pro sp2 but without most current patches i think. | |
|
Kayrac
Premium
join:2001-09-29
Rochester, NH
1 edit | Nm after testing, it doesn't work on my linksys wrtg54gs | |
|
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
1 edit | Re: Windows Explorer bypasses router password Works? Meaning you can reproduce this flaw? withdrawn | |
|
| | 
planet
join:2001-11-05
Olmsted Falls, OH
·Cox HSI
| Re: Windows Explorer bypasses router password Running XP HE SP2 with
BEFSR41 V3 Firmware Version: 1.05.00
When I try and access via Windows Explorer it won't load the page.
I remember that I had to place it in my trusted zone for IE to work with it. Wondering if that has anything to do with it. | |
|
| | |
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| Re: Windows Explorer bypasses router password said by planet :Running XP HE SP2 with BEFSR41 V3 Firmware Version: 1.05.00 When I try and access via Windows Explorer it won't load the page. I remember that I had to place it in my trusted zone for IE to work with it. Wondering if that has anything to do with it. You talking about 2 different things, LAN and WAN with LAN being Windows Explorer and WAN being Internet Explorer.
--
Prevent Malware | |
|
| | | |
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| Re: Windows Explorer bypasses router password OK, planet and Greg_Z got me on the right track. I noticed Windows Explorer was given full internet access in McAfee Firewall applications so I blocked it and now I am unable to access the router from WE. But still I shouldn't have to do this, Right? I will look into your reghack when I get back Greg_Z.
I'm late for a proposal with some homeowners.
--
Prevent Malware | |
|
| | | | | 
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | Re: Windows Explorer bypasses router password No, you are right, you should not be able to access router without being challenged, no matter what with.
Cudni | |
|
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
|
Password prompt when I do this. Cannot reproduce your issue Dolphins.
Auto complete is off here.
XP SP2 Pro
Befsx41 ver 2, firmware 1.50.18
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke | |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
| Dolphins, it is most likely that one machine. Either caching the page, and not clearing, or something is fubared in your install. I have my IE7 and have always with IE6 to clear Temp. Internet files, also do not have AutoComplete turned on.
Also, another thing is, I have registry changes in place to clear certain settings for security purposes.
--
I threw out the map a long time ago. Now I follow my own direction! | |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
| When you attempt to view a password-protected site, you are normally prompted to type your username and password with an option to "Save this password in your password list". This tweak can be used to disable the ability for users to save passwords.
Settings:
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings]
Name: DisablePasswordCaching
Type: REG_DWORD (DWORD Value)
Value: (0 = default, 1 = disable password cache)
This setting controls whether web pages encrypted using Secure Sockets Layer (SSL) should be stored on the hard disk in the temporary Internet cache.
Settings:
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings]
Name: DisableCachingOfSSLPages
Type: REG_DWORD (DWORD Value)
Value: (0 = default, 1 = disabled caching)
--
I threw out the map a long time ago. Now I follow my own direction! | |
|
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
1 edit | Re: Windows Explorer bypasses router password Doesn't this reghack essentially do what MKB article that Cudni posted does? And if you read my follow up to Cudni's post you'll see that no passwords have been stored on my machine. Also my original post shows that AutoComplete is not enabled and never will be.
Damn, this is really buggin' me! I know this is something that happened recently cause I've never been able to access my router from WE with being prompted for password.
--
Prevent Malware | |
|
Kendas
join:2001-02-26
Tucson, AZ
| This is why you never leave the default IP address on the router.
Of course that IP didn't work for me as I use a different IP address for the router.
Cheap security: Use a "non-routable" IP address/subnet mask and a good firewall to keep people out.  | |
|
|
planet
join:2001-11-05
Olmsted Falls, OH
·Cox HSI
| Re: Windows Explorer bypasses router password Dolphins,
I understand your concern. But, would this be an issue from the WAN side or only the LAN side? Ya gotta love a password protected software FW in cases like this.
This could pose a real problem for business' if employees can access the router via Windows Explorer. | |
|
| |
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| Re: Windows Explorer bypasses router password said by planet :Dolphins, I understand your concern. But, would this be an issue from the WAN side or only the LAN side? Ya gotta love a password protected software FW in cases like this. This could pose a real problem for business' if employees can access the router via Windows Explorer. An attack would have to come from the WAN in order to reach the LAN but a well written web page with intent to steal could bypass my router if I had no other security in place.
As for this being widespread I'm unsure cause only the 2 of us so far have been able to do this.
--
Prevent Malware | |
|
| | | 
jack b
Gone Fishing
Premium,MVM
join:2000-09-08
Cape Cod
clubs:
·Comcast
| This stinks I thought I had it licked with a reboot, but once I successfully logged in to the router in IE, and then closed the browser, I opened windows explorer, pasted the address and went right in... no password challenge.
Trying again using IE, dialog box popped up, pre-filled in.
I DO NOT have auto complete or upnp service active!
--
~Help find a cure for Cancer~
~Proud Member of Team Discovery ~ | |
|
| | | |
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
1 edit | Re: This stinks Ok, Got a response from Linksys.com forums and it's pretty much what you did(rebooted)and what jbob is saying.
»forums.linksys.com/linksys/board···ue#M2576
quote:
As long as windows is running, windows explorer is running, too. If you enter the password once it remains cached until windows is rebooted. It is the same with internet explorer: as long as one internet explorer window remains open the password entered before remains cached. You have to close all internet explorer windows (ending iexplore.exe) before you have to enter it again. This is on purpose. Else you would have to enter the password again and again for all router pages.
Edit: I still can't see why this isn't happening to everyone? Is everybody but me and jack_b rebooting everytime they close windows?
--
Prevent Malware | |
|
| | | | |
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| Re: This stinks They think of it as feature? I've got 2 browsers accessing the router from same machine and still explorer is challenged when it tries. Unless they change the firmware not much you can do except prevent explorer access with firewall.
Cudni
--
Some are born to failure, others achieve it, all deserve it.Help yourself so God can help you.MVP, Microsoft Windows Security 2006 | |
|
| | | | | |
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| Re: This stinks No it's not a router feature it's a windows feature. jack_b is running a D-Link router and has the same problem.
That's why I can't understand why no one else has this problem.
--
Prevent Malware | |
|
| | | | | | |
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
2 edits | Re: This stinks Probably not, but try with another router or connect another comp? I think there would be many more people able to confirm you finding if it was just windows.
edit@ It is the combination of Explorer and IE (i use Firefox usually). I have accessed the router with IE and then followed with explorer. This time it displayed both the user name and password populated and i all i have to do is press ok and now it remembers the setting even though i didn't click the remember the password. If i close IE explorer is challenged on subsequent tries 
Cudni
--
Some are born to failure, others achieve it, all deserve it.Help yourself so God can help you.MVP, Microsoft Windows Security 2006 | |
|
| | | | | | | BandHeight
join:2004-08-30
Portland, TX
| If I uncheck:
Windows Explorer->Tools->Folder Options->View->
Launch Folder Windows In A Separate Process
I can recreate your issue (no user / password prompt). However, with the setting checked (as I always have it set), the prompt occurs each time Windows Explorer is used to launch the router administration page (D-Link router). | |
|
| | | | | | | | |
| | | | | | | | |
jack b
Gone Fishing
Premium,MVM
join:2000-09-08
Cape Cod
clubs: | Re: This stinks YUP.
Checking that stopped the "feature".
Seems unchecked IS default setting. | |
|
| | | | | | | | | BandHeight
join:2004-08-30
Portland, TX
| said by dolphins :BINGO! We have a winner! Thank You Thank You Thank You Edit: The only thing now is how did mine get unchecked? You're welcome.
By the way, Jack B is correct that default is "unchecked". My intent, though not clear, by saying "as I always have it set" was to let you know that I actually set the option.
As to why everyone else here seems to have the setting changed from default: it is a fairly common and often recommended tweak. However, the reason usually cited for the recommendation is that it decreases the chances of a crashed Explorer window taking down the entire system because each instance of Explorer (with the option checked) is opened in a separate process as should be clear from the option's name. However, as you have found out and as can be easily imagined , the issues that can be caused by the default setting are more wide ranging. | |
|
| | | | | | | | |
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| Re: This stinks Thanks for the follow up. You are now one of my close friends whether you like it or not.
--
Prevent Malware | |
|
| | | | | | | | |
jack b
Gone Fishing
Premium,MVM
join:2000-09-08
Cape Cod
clubs:
·Comcast
| Re: This stinks Thanks to dolphins, for posting about this in the first place, and also to BandHeight, for posting the fix to an obscure and potentially sensitive issue.
--
~Help find a cure for Cancer~
~Proud Member of Team Discovery ~ | |
|
| | | | | | | | |
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| Re: This stinks said by jack b :Thanks to dolphins, for posting about this in the first place, and also to BandHeight, for posting the fix to an obscure and potentially sensitive issue. I say cheers to that and yes, A round of applause for BandHeight for having the ability to see what others did not. I know first hand how hard it is to diagnose someone else's computer problems without having physical access.
I went through my folder options a dozen times but saw nothing that would solve this problem as I'm sure most of the people trying to solve this did. I consider this to be a another Microsoft flaw as I need to know the reasoning why this is unchecked by default?
--
Prevent Malware | |
|
fcisler
Premium
join:2004-06-14
Riverhead, NY | I'm gonna take a stab at this.....
How many of you who can type your routers address directly into windows explorer, and have it give you access, have NOT disabled the security risk UPnP service?!?! | |
|
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| Re: Windows Explorer bypasses router password One of the first things I did when I got this machine up and running was to disable UPnP. Also Since all I did was swap machines(old for new) on the router UPnP was already disabled in my router settings.
--
Prevent Malware | |
|
speeddemon100
join:2001-02-18
West Hempstead, NY | Well I've been testing Vista for a while and it can't be duplicated here. (192.168.2.1)(Belkin) Typing this in Explorer launches internet explorer, and then prompts for password. | |
|
| speeddemon100
join:2001-02-18
West Hempstead, NY | Re: Windows Explorer bypasses router password On XP Home SP2, I can not duplicate dolphins issue. Like I said with Vista I have a Belkin Router - 192.168.2.1. Windows Explorer will prompt for password as well as IE6. | |
|
|
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| Re: Windows Explorer bypasses router password said by jbob :This are my results. 1st I'm not sure one can separate Windows Explorer from Internet Explorer. From my feeble memory I seem to remember one of the features programmed into Explorer was to be able to Explore/Browse a network similar or even via HTTP which is why the two are almost inseparable. If you type in a web link in Windows Explorer it will bring up the Web browser and take you to the site. You are correct. Windows Explorer opens IE when an web address or IP is typed into address bar but the problem we are having is that even after closing all windows we can still enter router without being prompted for password.
The only thing I can think is that me and jack_b have something running that keeps Windows open? I thought it might have been WallWatcher but I removed it and still the same problem.
--
Prevent Malware | |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| All of you that can confirm the issue, do you have the same model router/firmware
BEFSR41 V3 Firmware Version: 1.05.00 as dolphins ? | |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
1 edit | I'm coming to this late, but just want to say that the problem did not occur on Windows 2000 SP4 with "separate process" unchecked, upnp disabled, and the options set to never save any data (passwords, form data, autocomplete). This agrees with dolphins' surmise that it's XP only.
@dolphins and planet, untrusted LAN users can be a concern even if this is not exploitable from the WAN side.
said by jbob :One of the things I discovered using FireFox with multiple tabs open is that once you log in to a site that requires a login name/password unless you completely close all the tabs and Firefox itself it will remember the login name and password for each site entered. Example: If I have Firefox open with two tabs, one on DSLR and one on Yahoo Mail, if I close the tab to DSLR and then open a new tab and go back to DSLR I will not be asked to login again. Same with Yahoo Email. As long as one instance of my browser remains open it will retain that info.
When you login to DSLR for example, if you have the option set to not store passwords or other form data, Firefox obeys your setting and does not retain the login or password. The reason you stay logged in is that upon login you pick up a cookie which contains a token generated at your login, and that cookie gets checked at each subsequent page load. At least some routers use this method too. Mine for example is a Netgear and uses the cookie method.
The OP's issue, and the same as encountered by others, is Windows retaining credentials and maybe also a non-cookie token.
-------
If the login credentials or token are stored other than by a cookie, this indicates that the router uses a proprietary Windows login method rather than a web-standard method, correct?
Also, the "separate process" setting is a workaround; it doesn't mean the behavior is not a bug. Windows' retaining the credentials even when told not to is a defect. | |
|
|
|
|
·
