SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Linksys WRT54 GL - Session riding (CSRF)


Arrow  SecurityAlert : 3534
Arrow  CVE : CVE-2008-0228
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : Yes
Arrow  Credit : tomaz bratusa teamintell com
Arrow  Published : 12.01.2008

Arrow  Affected Software : Linksys WRT54 GL



Arrow  Advisory Content :  

========================================================================
============

Team Intell Security Advisory TISA2008-01

------------------------------------------------------------------------
------------

Linksys WRT54 GL - Session riding (CSRF)

========================================================================
============

Release date: 07.01.2008

Severity: High

Remote-Exploit: yes

Impact: Session riding

Status: Official patch not available

Software: Linksys WRT54 GL

Tested on: firmware version 4.30.9

Vendor: http://www.linksys.com/

Vendor-Status: informed on 14.08.2007

Disclosed by: Tomaz Bratusa (Team Intell)[TISA-2008-01]

Introduction

============

The Linksys Wireless-G Broadband Router is really three devices in one box.
First, there's the Wireless Access Point, which lets you connect both
screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at
11Mbps) devices to the network. There's also a built-in 4-port full-duplex
10/100 Switch to connect your wired-Ethernet devices together. Connect four
PCs directly, or attach more hubs and switches to create as big a network
as you need. Finally, the Router function ties it all together and lets
your whole network share a high-speed cable or DSL Internet connection.

Security Risk

=============

Linksys WRT54GL is prone to an authentication-bypass vulnerability.
Reportedly, the device permits changes in its configuration settings
without requring authentication (CSRF).

Technical Description

=====================

Linksys WRT54GL is prone to an authentication-bypass vulnerability. The
problem presents itself when a victim user visits a specially crafted web
page on an attacker-controlled site. An attacker can exploit this
vulnerability to bypass authentication and modify the configuration
settings of the device.

If the administrator of Linksys WRT54GL is logged into the device and opens
a malicious website or email with the same browser, he is subject to
attacks.

Imagine the worst case, where the administrator is constantly logged into
his firewall appliance because he needs to configure changes throughout

the day. A malicious link executing unnoticed by the administrator may open
the firewall.

This issue is reported to affect firmware version 4.30.9; other firmware
versions may also be affected.

PoC

===

https://192.168.1.1/apply.cgi?submit_button=Firewall&change_action=&acti
on=Apply&block_wan=1&block_loopback=0&multicast_pass=0&ident_pass=0&bloc
k_cookie=0&block_java=0&block_proxy=0&block_activex=0&filter=off&_block_
wan=1&_block_multicast=0&_ident_pass=1

Folowing the previous link will disable the firewall on 192.168.1.1 on your
LAN.

Workaround:

============

1.No official patch yet.

2.Do not surf the web when you are configuring your router.

References:

-------------------------------------------------

http://en.wikipedia.org/wiki/Cross-site_request_forgery

History/Timeline

================

14.08.2007 discovery of the vulnerability

14.08.2007 contacted the vendor

14.08.2008 Response from Cisco - They are working on it

22.10.2007 Request for status

30.10.2007 Response from Cisco - They will include the patch in the next
firmware upgrade

07.01.2008 advisory is written

07.01.2008 Vulnerability is made public

---------

Contact:

---------

Maldin d.o.o.

Trzaska cesta 2

1000 Ljubljana - SI

tel: +386 (0)590 70 170

fax: +386 (0)590 70 177

gsm: +386 (0)31 816 400

web: www.teamintell.com

www.varnostne-novice.com

e-mail: info(at)teamintell.com

------------

Disclaimer:

------------

The content of this report is purely informational and meant for
educational purposes only. Maldin d.o.o. shall in no event be liable for
any damage whatsoever, direct or implied, arising from use or spread of
this information. Any use of information in this advisory is entirely at
user's own risk.






Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.