Re: Linksys WRT54 GL - Session riding (CSRF)
* tomaz bratusa:
> Linksys WRT54GL is prone to an authentication-bypass
> vulnerability. Reportedly, the device permits changes in its
> configuration settings without requring authentication (CSRF).
This specific attack scenario has been publicly documented for a long
time (note the final paragraph):
| Isn't your exploit somewhat complicated? Just put
|
| <img src="" rel="nofollow">http://192.0.2.1/level/15/configure/-/enable/secret/mypassword"/>
|
| on a web page, and trick the victim to visit it while he or she is
| logged into the Cisco router at 192.0.2.1 over HTTP. This has been
| dubbed "Cross-Site Request Forgery" a couple of years ago, but the
| authors of RFC 2109 were already aware of it in 1997. At that time,
| browser-side countermeasures were proposed (such as users examining
| the HTML source code *cough*), but current practice basically mandates
| that browsers transmit authentication information when following
| cross-site links.
|
| Such attacks are probably more problematic on low-end NAT routers
| whose internal address defaults to 192.168.1.1 and which generally
| offer HTTP access, which makes shotgun exploitation easier. So much
| for the "put your Windows box behind a NAT router" advice you often
| read.
<http://article.gmane.org/gmane.comp.security.bugtraq/20579>
Cisco PSIRT had been approached about this issue a couple of months
before that BUGTRAQ posting, IIRC.
討論串 (同標題文章)
完整討論串 (本文為第 4 之 8 篇):