Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)
From: s.gottschall@xxxxxxxxxx
Date: Wed, 10 Dec 2008 05:22:56 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

this is no security flaw since you must be already logged in within the 
webinterface of dd-wrt. otherwise this here will not work. we already fixed 
this issue in our sourcetree

as additional information. this is no dd-wrt specific issue. all other firmware 
like openwrt etc. would suffer from it too. 

in fact. just a plain POST to a authenticated dd-wrt session. without beeing 
logged in locally it would not have any effect

Follow-Ups:
- Re[2]: Multiple XSRF in DD-WRT (Remote Root Command Execution)
  - From: Vladimir '3APA3A' Dubrovin
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)
  - From: David E. Thiel
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)
  - From: Hanno Böck

Prev by Date: [IVIZ-08-016] F-Secure f-prot Antivirus for Linux corrupted ELF header Security Bypass
Next by Date: Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC Consult SA-20081209)
Previous by thread: Multiple XSRF in DD-WRT (Remote Root Command Execution)
Next by thread: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)
Index(es):
- Date
- Thread