BugTraq
Linksys WRT54 GL - Session riding (CSRF) Jan 07 2008 09:40AM
tomaz bratusa teamintell com (3 replies)
Re: Linksys WRT54 GL - Session riding (CSRF) Jan 11 2008 10:54AM
Florian Weimer (fw deneb enyo de) (1 replies)
RE: Linksys WRT54 GL - Session riding (CSRF) Jan 14 2008 07:20AM
Tomaz (tomaz bratusa teamintell com) (2 replies)
Re: Linksys WRT54 GL - Session riding (CSRF) Jan 14 2008 06:58PM
Jan Heisterkamp (janheisterkamp web de) (1 replies)
Re: Linksys WRT54 GL - Session riding (CSRF) Jan 15 2008 06:14PM
Valdis Kletnieks vt edu
On Mon, 14 Jan 2008 12:58:17 CST, Jan Heisterkamp said:
> > A malicious link executing unnoticed by the administrator may open the firewall.
>
> The catch is that this exploit don't work unnoticed, because the admin
> get notification in the browser that there has occured an error with the
> cerificate ["Unable to verify the identity of Linksys as a trusted
> site"] and he has explicity allow it. In other words first he has to
> allow to be attacked...

A very high percentage of Joe Sixpack "sysadmins" sitting at home surfing
for Nascar and pr0n will go "Yeah, whatever" and click OK anyhow. A long time
ago, I stopped thinking that "User must click OK to scary-looking message"
was any sort of road bump for malware.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFHjPfrcC3lWbTT17ARAmiJAJ4p8ygPKdImMGxoXifxS07Mhg8DsQCfT2Ao
fRrj23lzdRb1cYCnrHbabt8=
=GHCW
-----END PGP SIGNATURE-----

[ reply ]
Re: Linksys WRT54 GL - Session riding (CSRF) Jan 14 2008 05:31PM
J. Oquendo (sil infiltrated net)
Re: Linksys WRT54 GL - Session riding (CSRF) Jan 07 2008 07:42PM
Jan Heisterkamp (janheisterkamp web de)
Re: Linksys WRT54 GL - Session riding (CSRF) Jan 07 2008 07:19PM
Jan Heisterkamp (janheisterkamp web de)


 

Privacy Statement
Copyright 2010, SecurityFocus