Bugtraq mailing list archives
Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)
From: "David E. Thiel" <lx () redundancy redundancy org>
Date: Wed, 10 Dec 2008 15:51:01 -0800
On Wed, Dec 10, 2008 at 05:22:56AM -0700, s.gottschall () dd-wrt com wrote:
this is no security flaw since you must be already logged in within the webinterface of dd-wrt. otherwise this here will not work. we already fixed this issue in our sourcetree
It is a security flaw, you've neither fixed it nor understood it. The whole point of CSRF is that it works by using the victim's active session. An easy scenario in the case of DD-WRT is one where a victim reads a malicious "HOWTO" site, which has step by step instructions on how to say, boost signal strength. The user opens one tab to read the howto, and another to log into the DD-WRT web interface. Javascript in a tiny IFRAME on the malicious site performs repeated POSTs such as those posted in the original advisory. Your "fix" is simply checking the Referer header if it's present. Referer is an optional header which is often omitted, either due to firewalls/AV software removing it, or due to it being not sent by the browser due to an HTTP/HTTPS site transition. http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3 I suggest giving these a read: http://en.wikipedia.org/wiki/Cross-site_request_forgery https://www.isecpartners.com/files/CSRF_Paper.pdf
as additional information. this is no dd-wrt specific issue. all other firmware like openwrt etc. would suffer from it too.
Even if this were true, that wouldn't make this less of a flaw. Rooting your router through CSRF is pretty bad. Linksys has supposedly fixed theirs, but I don't know how well. Other firmwares do have CSRF problems, but they don't have the same entertainment value of DD-WRT's httpd.c (I like line 963).
Current thread:
- Multiple XSRF in DD-WRT (Remote Root Command Execution) th3 . r00k . ieatpork (Dec 08)
- <Possible follow-ups>
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) s . gottschall (Dec 10)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) Hanno Böck (Dec 11)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) David E. Thiel (Dec 11)
- Re[2]: Multiple XSRF in DD-WRT (Remote Root Command Execution) Vladimir '3APA3A' Dubrovin (Dec 11)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) pUm (Dec 11)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) Sebastian Gottschall (DD-WRT) (Dec 11)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) Sebastian Gottschall (DD-WRT) (Dec 11)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) David E. Thiel (Dec 11)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) dan . crowley (Dec 11)
- Re: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) dan . crowley (Dec 11)
- Re: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) 0xjbrown41 (Dec 15)