# DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor ### Description During a penetration testing engagement I interacted with DLINK DPH-400SE running a firmware version of **FRU 2.2.15.8**. It's basically a VoIP phone and the vendor is [DLINK](https://dlink.com) In this writeup. I explain how I was able to uncover yet another vulnerability generally a weakness of the ID 200 : **[CWE-200](https://cwe.mitre.org/data/definitions/200.html)**, This weakness allowed me to login to the web portal of the device using default guest credentials and read all the SIP authenticated user passwords as well as the administrator's password. ### POC Log in to the portal using the credentials "guest:guest" ![](https://hackmd.io/_uploads/SJ4JGlUan.png) Heading to the maintenance tab, we have the access feature which has an option to modify accounts accessing the devices: ![](https://hackmd.io/_uploads/ByZXGeUT2.png) ![](https://hackmd.io/_uploads/ByXBflU62.png) Opening the modify settings, the guest user is able to modify the user, as well as read the password of that user since it's displayed in the input field thus, by right clicking it and clicking "reveal password" it should display the password for the user chosen to be modified by the "Guest" user. ![](https://hackmd.io/_uploads/ByJozx86h.png) ![](https://hackmd.io/_uploads/r1tiGxLa3.png) Copy the password logout the portal and use the password to login as the user Admin, and WE ARE IN! <div style="width:100%;height:0;padding-bottom:56%;position:relative;"><iframe src="https://giphy.com/embed/WprAwhmBU4NlauH4nP" width="100%" height="100%" style="position:absolute" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></div>