Re: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)
That is why it is called a remote command execution via a CSRF vulnerability.
Your code should be AT LEAST checking referrers (weak and obscure but helpful)
or implementing many of the other protections that are available.
See http://www.owasp.org/index.php/Cross-Site_Request_Forgery for more details.
Good info @ http://www.cgisecurity.com/articles/csrf-faq.shtml as well:
"The most popular suggestion to preventing CSRF involves appending challenge
tokens to each request. It is important to state that this challenge token MUST
be associated with the user session, otherwise an attacker may be able to fetch
a valid token on their own and utilize it in an attack. In addition to being
tied to the user session it is important to limit the time peroid to which a
token is valid. This method is documented in multiple documents however as
pointed out in mailing list postings an attacker can utilize an existing
browser vulnerability or XSS flaw to grab this session token."
The fact is, as long as one of these situations is available, the exploit can
be auto-pwn:
1) The tab is open somewhere on the browser.
2) The session is still active in the browser.
3) The browser used has the credentials saved (No prompts /w Safari).
4) Nearly any situation where the target visits the page (But if not 1, 2, or 3
a prompt will usually pop up asking for credentials