[原文]The web interface for Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 126.96.36.199 uses Base64 encoded usernames and passwords for HTTP basic authentication, which allows remote attackers to steal and easily decode the passwords via sniffing.
Pingtel xpressa contains a flaw that may allow a malicious user to sniff credentials. The issue is caused by the fact that Pingtel xpressa uses base64 HTTP basic authentication. It is possible that the flaw may allow the compromise of administrator credentials or those of any other user added, resulting in a loss of confidentiality.
Immediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well. Upgrade to version 2.0.1 or higher, as it has been reported to resolve several related authentication issues. Pingtel has released a document which outlines best practices relating to the deployment of Pingtel phones. See references for further information.