[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2012-6297 - Command Injection via CSRF on DD-WRT v24-sp2

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CVE-2012-6297 - Command Injection via CSRF on DD-WRT v24-sp2
From: cyoung@xxxxxxxxxxxx
Date: Fri, 12 Jul 2013 00:04:50 GMT

DD-WRT v24-sp2 is prone to command injection from specially crafted 
configuration values containing shell meta-characters. A remote attacker can 
potentially use CSRF from an authenticated client to execute commands on the 
router as the root user. Successful exploitation can result in system wide 
compromise or a denial of service condition depending on the commands being 
injected.

This bug was reported via the DD-WRT bug tracker on November 20, 2012 but there 
does not appear to be ongoing development in the project.

Prev by Date: Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets
Next by Date: Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets
Previous by thread: Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets
Next by thread: CVE-2013-3568 - Linksys CSRF + Root Command Injection
Index(es):
- Date
- Thread