Re: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)

[0xjbrown41 () gmail com]

That is why it is called a remote command execution via a CSRF vulnerability. Your code should be AT LEAST checking 
referrers (weak and obscure but helpful) or implementing many of the other protections that are available.

See http://www.owasp.org/index.php/Cross-Site_Request_Forgery for more details.

Good info @ http://www.cgisecurity.com/articles/csrf-faq.shtml as well:

"The most popular suggestion to preventing CSRF involves appending challenge tokens to each request. It is important to 
state that this challenge token MUST be associated with the user session, otherwise an attacker may be able to fetch a 
valid token on their own and utilize it in an attack. In addition to being tied to the user session it is important to 
limit the time peroid to which a token is valid. This method is documented in multiple documents however as pointed out 
in mailing list postings an attacker can utilize an existing browser vulnerability or XSS flaw to grab this session 
token."

The fact is, as long as one of these situations is available, the exploit can be auto-pwn:

1) The tab is open somewhere on the browser.
2) The session is still active in the browser.
3) The browser used has the credentials saved (No prompts /w Safari).
4) Nearly any situation where the target visits the page (But if not 1, 2, or 3 a prompt will usually pop up asking for 
credentials