On Wed, Dec 10, 2008 at 05:22:56AM -0700, s.gottschall@xxxxxxxxxx wrote: > this is no security flaw since you must be already logged in > within the webinterface of dd-wrt. otherwise this here will not > work. we already fixed this issue in our sourcetree It is a security flaw, you've neither fixed it nor understood it. The whole point of CSRF is that it works by using the victim's active session. An easy scenario in the case of DD-WRT is one where a victim reads a malicious "HOWTO" site, which has step by step instructions on how to say, boost signal strength. The user opens one tab to read the howto, and another to log into the DD-WRT web interface. Javascript in a tiny IFRAME on the malicious site performs repeated POSTs such as those posted in the original advisory. Your "fix" is simply checking the Referer header if it's present. Referer is an optional header which is often omitted, either due to firewalls/AV software removing it, or due to it being not sent by the browser due to an HTTP/HTTPS site transition. http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3 I suggest giving these a read: http://en.wikipedia.org/wiki/Cross-site_request_forgery https://www.isecpartners.com/files/CSRF_Paper.pdf > as additional information. this is no dd-wrt specific issue. all > other firmware like openwrt etc. would suffer from it too. Even if this were true, that wouldn't make this less of a flaw. Rooting your router through CSRF is pretty bad. Linksys has supposedly fixed theirs, but I don't know how well. Other firmwares do have CSRF problems, but they don't have the same entertainment value of DD-WRT's httpd.c (I like line 963).
