| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTikDO9yODwbVWJjDdRD0n3oOXA6rnC4fNmCDTmRa@mail.gmail.com> Date: Sat, 18 Dec 2010 19:49:30 +1100 From: dave b <db.pub.mail@...il.com> To: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: csrf and xss vs the openwrt 10.03 webinterface So it turns out I totally ignored the stok parameter in nearly every url - once a user is logged in (easy to miss uh? :P) - which offers some protection against csrf attacks. However, if the user decides to log in(as they will meet a login page) anyway to a url like(from my original email): http://192.168.0.1/cgi-bin/luci/;stok=d/admin/system/packages?query=%22%2F%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&submit=OK then the action will still be taken - after they log in. **(obviously iff the user actually logs in) So the obvious fix for openwrt is to simply 1. log the user out(which already happens) 2. alert them that something bad may have been attempted 3. direct the user to the login page. (e.g. http://192.168.0.1/cgi-bin/luci/mini/ ) -- How apt the poor are to be proud. -- William Shakespeare, "Twelfth-Night _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists