[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)
From: s.gottschall@xxxxxxxxxx
Date: Wed, 10 Dec 2008 05:22:56 -0700

this is no security flaw since you must be already logged in within the 
webinterface of dd-wrt. otherwise this here will not work. we already fixed 
this issue in our sourcetree

as additional information. this is no dd-wrt specific issue. all other firmware 
like openwrt etc. would suffer from it too. 

in fact. just a plain POST to a authenticated dd-wrt session. without beeing 
logged in locally it would not have any effect

Follow-Ups:
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)
  - From: Hanno Böck
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)
  - From: David E. Thiel
- Re[2]: Multiple XSRF in DD-WRT (Remote Root Command Execution)
  - From: Vladimir '3APA3A' Dubrovin

Prev by Date: [IVIZ-08-016] F-Secure f-prot Antivirus for Linux corrupted ELF header Security Bypass
Next by Date: Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC Consult SA-20081209)
Previous by thread: Multiple XSRF in DD-WRT (Remote Root Command Execution)
Next by thread: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)
Index(es):
- Date
- Thread