Re: csrf and xss vs the openwrt 10.03 webinterface

[dave b <db.pub.mail () gmail com>]

So it turns out I totally ignored the stok parameter in nearly every
url - once a user is logged in (easy to miss uh? :P) - which offers
some protection against csrf attacks.
However, if the user decides to log in(as they will meet a login page)
anyway  to a url like(from my original email):

http://192.168.0.1/cgi-bin/luci/;stok=d/admin/system/packages?query=%22%2F%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&submit=OK

then the action will still be taken - after they log in. **(obviously
iff the user actually logs in)
So the obvious fix for openwrt is to simply
 1. log the user out(which already happens)
 2. alert them that something bad may have been attempted
 3. direct the user to the login page. (e.g.
http://192.168.0.1/cgi-bin/luci/mini/ )


--
How apt the poor are to be proud.               -- William Shakespeare, "Twelfth-Night

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/