<<< Date Index >>>     <<< Thread Index >>>

Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)



this is no security flaw since you must be already logged in within
the webinterface of dd-wrt. otherwise this here will not work. we
already fixed this issue in our sourcetree

as additional information. this is no dd-wrt specific issue. all other
firmware like openwrt etc. would suffer from it too.

in fact. just a plain POST to a authenticated dd-wrt session. without
beeing logged in locally it would not have any effect
-----------------------------------

oh god - you dd-wrt people sucks so much. its unbelievable in which
way you are handling security advisories. if you would be able to make
a post without authentication it would be much worst. I would
recommend to read www.owasp.org

another example for the bad security work of the dd-wrt guys are one
this forum post:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783&postdays=0&postorder=asc&start=0

bitmage discovered that in every fresh release and every custom
firewall two other rules are added in front of all.
the rules will allow every service on the dd-wrt router from the ip
194.231.229.20 and from the ip 212.65.2.116

some workarounds exist, I didnt test any of them, because dd-wrt isnt
trustworth anymore for me. I can confirm this flaw in the latest
stable vpn release.

please note the workarounds from the main developer from dd-wrt:
"even i see no reason for this. these ip addresses arent valid
anymore. it seems that chris implemented this for a customer. i
removed it now" (they are still in the default install image)
"nvram unset ral
nvram commit "
"there is no security hole. both ip's are not active anymore and
obsolete since a long time. "
"i will lock this thread now. a new release is scheduled soon (within
this or next week), but you cannot force me to release buggy code
based on the current internal tree.thats my last statement on this
topic" (Posted: Tue Aug 19, 2008 10:57 pm)

I recommend everyone to not use dd-wrt anymore, at least as long as
they didnt change their politics and stops talking bullshit "there is
no security hole"

cheers