Bugtraq mailing list archives
Re: Linksys WRT54 GL - Session riding (CSRF)
From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 11 Jan 2008 11:54:20 +0100
* tomaz bratusa:
Linksys WRT54GL is prone to an authentication-bypass vulnerability. Reportedly, the device permits changes in its configuration settings without requring authentication (CSRF).
This specific attack scenario has been publicly documented for a long time (note the final paragraph): | Isn't your exploit somewhat complicated? Just put | | <img src="http://192.0.2.1/level/15/configure/-/enable/secret/mypassword"/> | | on a web page, and trick the victim to visit it while he or she is | logged into the Cisco router at 192.0.2.1 over HTTP. This has been | dubbed "Cross-Site Request Forgery" a couple of years ago, but the | authors of RFC 2109 were already aware of it in 1997. At that time, | browser-side countermeasures were proposed (such as users examining | the HTML source code *cough*), but current practice basically mandates | that browsers transmit authentication information when following | cross-site links. | | Such attacks are probably more problematic on low-end NAT routers | whose internal address defaults to 192.168.1.1 and which generally | offer HTTP access, which makes shotgun exploitation easier. So much | for the "put your Windows box behind a NAT router" advice you often | read. <http://article.gmane.org/gmane.comp.security.bugtraq/20579> Cisco PSIRT had been approached about this issue a couple of months before that BUGTRAQ posting, IIRC.
Current thread:
- Linksys WRT54 GL - Session riding (CSRF) tomaz . bratusa (Jan 07)
- Re: Linksys WRT54 GL - Session riding (CSRF) Jan Heisterkamp (Jan 07)
- Re: Linksys WRT54 GL - Session riding (CSRF) Jan Heisterkamp (Jan 07)
- Re: Linksys WRT54 GL - Session riding (CSRF) Florian Weimer (Jan 11)
- RE: Linksys WRT54 GL - Session riding (CSRF) Tomaz (Jan 14)
- Re: Linksys WRT54 GL - Session riding (CSRF) J. Oquendo (Jan 14)
- Re: Linksys WRT54 GL - Session riding (CSRF) Jan Heisterkamp (Jan 15)
- Re: Linksys WRT54 GL - Session riding (CSRF) Valdis . Kletnieks (Jan 15)
- RE: Linksys WRT54 GL - Session riding (CSRF) Tomaz (Jan 14)
- <Possible follow-ups>
- Re: Linksys WRT54 GL - Session riding (CSRF) Daniel Weber (Jan 15)