Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)

["David E. Thiel" <lx () redundancy redundancy org>]

On Wed, Dec 10, 2008 at 05:22:56AM -0700, s.gottschall () dd-wrt com wrote:
> this is no security flaw since you must be already logged in
> within the webinterface of dd-wrt. otherwise this here will not
> work. we already fixed this issue in our sourcetree

It is a security flaw, you've neither fixed it nor understood it. The
whole point of CSRF is that it works by using the victim's active
session. An easy scenario in the case of DD-WRT is one where a victim
reads a malicious "HOWTO" site, which has step by step instructions on
how to say, boost signal strength. The user opens one tab to read the
howto, and another to log into the DD-WRT web interface. Javascript in a
tiny IFRAME on the malicious site performs repeated POSTs such as those
posted in the original advisory.

Your "fix" is simply checking the Referer header if it's present.
Referer is an optional header which is often omitted, either due to
firewalls/AV software removing it, or due to it being not sent by the
browser due to an HTTP/HTTPS site transition. 

http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3

I suggest giving these a read:

http://en.wikipedia.org/wiki/Cross-site_request_forgery
https://www.isecpartners.com/files/CSRF_Paper.pdf

> as additional information. this is no dd-wrt specific issue. all
> other firmware like openwrt etc. would suffer from it too.

Even if this were true, that wouldn't make this less of a flaw.
Rooting your router through CSRF is pretty bad. Linksys has supposedly
fixed theirs, but I don't know how well. Other firmwares do have CSRF
problems, but they don't have the same entertainment value of DD-WRT's
httpd.c (I like line 963).