Re: Linksys WRT54 GL - Session riding (CSRF)
--==_Exmh_1200420843_2966P
Content-Type: text/plain; charset=us-ascii
On Mon, 14 Jan 2008 12:58:17 CST, Jan Heisterkamp said:
> > A malicious link executing unnoticed by the administrator may open the firewall.
>
> The catch is that this exploit don't work unnoticed, because the admin
> get notification in the browser that there has occured an error with the
> cerificate ["Unable to verify the identity of Linksys as a trusted
> site"] and he has explicity allow it. In other words first he has to
> allow to be attacked...
A very high percentage of Joe Sixpack "sysadmins" sitting at home surfing
for Nascar and pr0n will go "Yeah, whatever" and click OK anyhow. A long time
ago, I stopped thinking that "User must click OK to scary-looking message"
was any sort of road bump for malware.
--==_Exmh_1200420843_2966P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFHjPfrcC3lWbTT17ARAmiJAJ4p8ygPKdImMGxoXifxS07Mhg8DsQCfT2Ao
fRrj23lzdRb1cYCnrHbabt8=
=GHCW
-----END PGP SIGNATURE-----
--==_Exmh_1200420843_2966P--
討論串 (同標題文章)
完整討論串 (本文為第 8 之 8 篇):