lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <008b01c8567d$f92c4d30$0201010a@zuffa4263035f7>
Date: Mon, 14 Jan 2008 08:20:42 +0100
From: "Tomaz" <tomaz.bratusa@...mintell.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Linksys WRT54 GL - Session riding (CSRF)

Ok, and what does it change...there are still the same vulnerabilities in
their equipment. Should we stop checking and publishing them just because
somebody informed the vendor 2 years ago?

-----Original Message-----
From: Florian Weimer [mailto:info@...t.uz] 
Sent: 11. januar 2008 11:54
To: tomaz.bratusa@...mintell.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Linksys WRT54 GL - Session riding (CSRF)

* tomaz bratusa:

> Linksys WRT54GL is prone to an authentication-bypass
> vulnerability. Reportedly, the device permits changes in its
> configuration settings without requring authentication (CSRF).

This specific attack scenario has been publicly documented for a long
time (note the final paragraph):

| Isn't your exploit somewhat complicated?  Just put
| 
| <img
src="http://192.0.2.1/level/15/configure/-/enable/secret/mypassword"/>
| 
| on a web page, and trick the victim to visit it while he or she is
| logged into the Cisco router at 192.0.2.1 over HTTP.  This has been
| dubbed "Cross-Site Request Forgery" a couple of years ago, but the
| authors of RFC 2109 were already aware of it in 1997.  At that time,
| browser-side countermeasures were proposed (such as users examining
| the HTML source code *cough*), but current practice basically mandates
| that browsers transmit authentication information when following
| cross-site links.
| 
| Such attacks are probably more problematic on low-end NAT routers
| whose internal address defaults to 192.168.1.1 and which generally
| offer HTTP access, which makes shotgun exploitation easier.  So much
| for the "put your Windows box behind a NAT router" advice you often
| read.

<http://article.gmane.org/gmane.comp.security.bugtraq/20579>

Cisco PSIRT had been approached about this issue a couple of months
before that BUGTRAQ posting, IIRC.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ