Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Cisco Phone User/Password sent in plaintext over network

I was just attempting to diagnose a problem pushing a particular <CiscoIPhoneExecute> xml tag to the phone. I was running a network sniffer on the PC port of my 7960 phone to watch the traffic and discovered something rather troubling.

When you post to the phone, it validates your credentials by doing an http post to the http://CallManager/CCMUser/authenticate.asp. The problem is that the username and password are sent in plaintext and are readily visible in the packets. Anyone running a sniffer on the PC port of the phone can see the username password.

Obviously this is a huge issue for those folks pushing content to the phones using a master user asssociate with all of the phones. Anyone with this password can mess with any of the phones.

I'm running CM 3.1.2(c). I understand some of the phone loads or configurations do not echo all of the phone traffic to the PC port?



Re: Cisco Phone User/Password sent in plaintext over network

I believe the problem of the passwords being sent in clear text has been addressed and is being worked on. Don't think there is a workaround at this time.

CreatePlease to create content