Full Disclosure mailing list archives
Re: NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF - SOS-11-011
From: Valdis.Kletnieks () vt edu
Date: Tue, 20 Sep 2011 08:06:30 -0400
On Tue, 20 Sep 2011 12:18:43 +1000, Lists said:
Basic authentication is used as the primary and only authentication mechanism for the administrator interface on the device. The basic authentication can be bypassed by sending a valid POST request to the device without sending any authentication header. The response from the device sends the user to another page that requests basic authentication, however at this point the request has already been processed.
The.. request.. has.. already.. been.. processed. *facepalm*. ;) The most obvious way to screw this up: if (request_not_validated()) send_error_page(); else execute_request(); and somebody forgot the 'else', making the execute a fall-through. But how does something like that slip through basic testing?
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF - SOS-11-011 Lists (Sep 19)
- Re: NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF - SOS-11-011 Valdis . Kletnieks (Sep 20)