Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)

["Sebastian Gottschall (DD-WRT) " <s.gottschall () dd-wrt com>]

pUm schrieb:
> this is no security flaw since you must be already logged in within
> the webinterface of dd-wrt. otherwise this here will not work. we
> already fixed this issue in our sourcetree
>
> as additional information. this is no dd-wrt specific issue. all other
> firmware like openwrt etc. would suffer from it too.
>
> in fact. just a plain POST to a authenticated dd-wrt session. without
> beeing logged in locally it would not have any effect
> -----------------------------------
>
> oh god - you dd-wrt people sucks so much. its unbelievable in which
> way you are handling security advisories. if you would be able to make
> a post without authentication it would be much worst. I would
> recommend to read www.owasp.org
>   
this is why a authentication is required for every POST
> another example for the bad security work of the dd-wrt guys are one
> this forum post:
> http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783&postdays=0&postorder=asc&start=0
>
> bitmage discovered that in every fresh release and every custom
> firewall two other rules are added in front of all.
> the rules will allow every service on the dd-wrt router from the ip
> 194.231.229.20 and from the ip 212.65.2.116
>   
this is removed since a long time and these both ip did not exist. i 
explained also in the forum how this problem occured
> some workarounds exist, I didnt test any of them, because dd-wrt isnt
> trustworth anymore for me. I can confirm this flaw in the latest
> stable vpn release.
>   
for sure you can. nobody informed me about this issue. it was posted 
without a notice to the developer and this sucks much more
as i already told. i'm not able to provide a stable fixed version in a 
good timeframe.
> please note the workarounds from the main developer from dd-wrt:
> "even i see no reason for this. these ip addresses arent valid
> anymore. it seems that chris implemented this for a customer. i
> removed it now" (they are still in the default install image)
> "nvram unset ral
> nvram commit "
> "there is no security hole. both ip's are not active anymore and
> obsolete since a long time. "
> "i will lock this thread now. a new release is scheduled soon (within
> this or next week), but you cannot force me to release buggy code
> based on the current internal tree.thats my last statement on this
> topic" (Posted: Tue Aug 19, 2008 10:57 pm)
>
> I recommend everyone to not use dd-wrt anymore, at least as long as
> they didnt change their politics and stops talking bullshit "there is
> no security hole"
>   
fore sure its no security hole. it would be one if you can get into the 
router without authentication
and consider that i reacted fast enough to fix it in our sourcecode.

--
Mit freundlichen Grüssen / Regards

Sebastian Gottschall / CTO 

NewMedia-NET GmbH - DD-WRT 
Firmensitz:  Wormser Straße 5 - 7, 64625 Bensheim
Registergericht: Amtsgericht Darmstadt, HRB 25473
Geschäftsführer: Peter Steinhäuser, Christian Scheele
http://www.dd-wrt.com
email: s.gottschall () dd-wrt com
Tel.: +496251-582650 / Fax: +496251-5826565