Ok, and what does it change...there are still the same vulnerabilities in their equipment. Should we stop checking and publishing them just because somebody informed the vendor 2 years ago? -----Original Message----- From: Florian Weimer [mailto:info@xxxxxxx] Sent: 11. januar 2008 11:54 To: tomaz.bratusa@xxxxxxxxxxxxxx Cc: bugtraq@xxxxxxxxxxxxxxxxx Subject: Re: Linksys WRT54 GL - Session riding (CSRF) * tomaz bratusa: > Linksys WRT54GL is prone to an authentication-bypass > vulnerability. Reportedly, the device permits changes in its > configuration settings without requring authentication (CSRF). This specific attack scenario has been publicly documented for a long time (note the final paragraph): | Isn't your exploit somewhat complicated? Just put | | <img src="http://192.0.2.1/level/15/configure/-/enable/secret/mypassword"/> | | on a web page, and trick the victim to visit it while he or she is | logged into the Cisco router at 192.0.2.1 over HTTP. This has been | dubbed "Cross-Site Request Forgery" a couple of years ago, but the | authors of RFC 2109 were already aware of it in 1997. At that time, | browser-side countermeasures were proposed (such as users examining | the HTML source code *cough*), but current practice basically mandates | that browsers transmit authentication information when following | cross-site links. | | Such attacks are probably more problematic on low-end NAT routers | whose internal address defaults to 192.168.1.1 and which generally | offer HTTP access, which makes shotgun exploitation easier. So much | for the "put your Windows box behind a NAT router" advice you often | read. <http://article.gmane.org/gmane.comp.security.bugtraq/20579> Cisco PSIRT had been approached about this issue a couple of months before that BUGTRAQ posting, IIRC.
