Slashdot Mirror
Major Flaw Found In Security Products
ancientribe writes "A stealthy and potentially dangerous bug has been discovered in security products from eight different vendors, including Check Point Software, according to an article in Dark Reading. The so-called cross-site request forgery (CSRF) lets an attacker access the user's network and even conduct transactions on behalf of the user. It could affect over a million installations, but so far, Check Point is the only security vendor to step up and patch it. This vulnerability is found in most everything with a Web-based interface, including printers, firewalls, DSL routers, and IP phones." An article on the vulnerability from last fall quotes Jeremiah Grossman, CTO of WhiteHat Security, who calls CSRF "the sleeping giant" vulnerability: "It's not seen as a vulnerability because it works like the Web works."
Anyone here like me who does managed firewall work, please notify your clients and get them updated! But this is Slashdot, and we all update our stuff don't we? :) Also, this kind of thing is irrespective of whether or not you allow remote web management of your device. Also, this is further evidence for why you should not use the default internal IP range the device gives you. Please always change the local LAN IP range!
I'm surprised it took this long to find something like this, but I'm not at all surprised it existed. I've loved web interfaces like these but I've always been nervous about them.
What does this mean?
i sabled&username=Admin&password=" and if they convince you to click on it, your internet turns off.
It means that if you do something stupid like leave the default username/password for your "appliance" or log in and pick up a session cookie then go browse somewhere else, someone can set up a link like "http://192.168.0.1/networksetting.cgi?internet=d
Except that they don't have to convince you to click on it, they could set that as the source of an image... you'd see a broken image tag and then the internet would stop working. Then they just have to get that image tag onto a website you read, say through an ad vendor (some of whom obviously don't care that they're hosting malware, so why not?) or an email to a webmail address that doesn't filter image tags.
This is how the internet works. Your browser follows links, and doesn't know or care about whats there until it gets there.
There is a simple example / introduction to CSRF attacks here.
Anyone with a Check Point Edge or SofaWare appliance, be aware that if you do the reset procedure, you will be restoring both the original configuration *AND* the original firmware image that shipped with the product. Yes, the original image is still there. If you have a very old v3.x firmware box like I had one time, after upgrading to v6.5.x (back then) and then doing a reset, you're in for a surprise :)
Using POST will help, but it doesn't solve the problem.
An attacker could still host a hidden FORM pointing at your local application, and use Javascript to submit it.
CSRF explained, albeit clumsily. The examples made the article. Solution: use POST requests for user actions, and add unique tokens to each form.
technical writing / development
Parent link is very helpful in understanding CSRF. In brief: malicious site knows or guesses you are logged in at paypal, slashdot, some valuable site, etc. ... malicious site sends you javascript that generates a form and submits it to valuable site. Valuable site sees it coming from your browser, so the cookies are valid. You are logged in, aren't you?
This lets malicious site do things like send $10 donations from your paypal account, submit blogspam, get your account balance, etc. if you can be convinced to visit malicious site.
http://www.cgisecurity.com/articles/csrf-faq.shtm
Believe me, if I started murdering people, there would be none of you left.
While it's true that it's much better to follow the RFC here, just switching to POST doesn't solve the CSRF problem. An attacker could set up a malicious Web page which has a form with all the necessary parameters and a JavaScript to automatically submit it, hence meeting the POST requirement. Similarly, if the client has an older version of Flash or a buggy version which does not obey same-source security principles, the attacker could embed a malicious SWF which creates the entire HTTP request from scratch, even forging the Referer header if you were checking that as a security measure.
This is another good reason for using Firefox extensions such as Flashblock and Noscript. As a client, you can protect yourself pretty easily from a lot of these attacks. Noscript also has some nice features which help filter out the more common brands of XSS attacks.
---- Just another spud server.
POST doesn't help onclick=form.submit()
You can still do hidden posts with javascript. Just hook up the post to fire on onload or onclick of anything on the malicious site. The form response can be targeted to a hidden iframe so it's invisible to the user.
Most people have already turned off their browsers post warning and even if they didn't they don't have any reason to think it's posting to their bank's website or firewall device instead of the malicious site.
(okay, I know nothing about scripting and this is just an example but you get the idea)
How do I supply this link to your browser? One example is on a malicious web page in an image tag, there are many others.
Since you have a
Bad boys rape our young girls but Violet gives willingly.
from 1 to 0 .
Namaste
Of course, while that's generally good advice, it does very little to prevent CSRF. Instead of using an image, they could use an iframe or JavaScript code or anything else that loads a URL.
http://www.skullsecurity.org/blog/