| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 15 Dec 2008 18:47:15 -0000 From: 0xjbrown41@...il.com To: bugtraq@...urityfocus.com Subject: Re: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) That is why it is called a remote command execution via a CSRF vulnerability. Your code should be AT LEAST checking referrers (weak and obscure but helpful) or implementing many of the other protections that are available. See http://www.owasp.org/index.php/Cross-Site_Request_Forgery for more details. Good info @ http://www.cgisecurity.com/articles/csrf-faq.shtml as well: "The most popular suggestion to preventing CSRF involves appending challenge tokens to each request. It is important to state that this challenge token MUST be associated with the user session, otherwise an attacker may be able to fetch a valid token on their own and utilize it in an attack. In addition to being tied to the user session it is important to limit the time peroid to which a token is valid. This method is documented in multiple documents however as pointed out in mailing list postings an attacker can utilize an existing browser vulnerability or XSS flaw to grab this session token." The fact is, as long as one of these situations is available, the exploit can be auto-pwn: 1) The tab is open somewhere on the browser. 2) The session is still active in the browser. 3) The browser used has the credentials saved (No prompts /w Safari). 4) Nearly any situation where the target visits the page (But if not 1, 2, or 3 a prompt will usually pop up asking for credentials
Powered by blists - more mailing lists