Am Mittwoch 10 Dezember 2008 schrieb s.gottschall@xxxxxxxxxx: > in fact. just a plain POST to a authenticated dd-wrt session. without > beeing logged in locally it would not have any effect That's exactly the problem, as this POST can be triggered from a third-party webpage via javascript. You are familiar with Cross Site Request Forgery attacks? Wikipedia gives some good introduction: http://en.wikipedia.org/wiki/CSRF All forms in web applications doing changes that require authentication need some extra protection to prevent CSRF. Usually this is done by some random token that may be created out of a random session value stored on the application site combined with an id of the form. This has to be checked before any action is executed. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno@xxxxxxxxx http://www.jukss.de/ Jugemdumweltkongress, 27.12.-4.1.
Attachment:
signature.asc
Description: This is a digitally signed message part.