Critical Flaw Discovered In DD-WRT

MagicM writes "A critical flaw has been discovered in DD-WRT, a Linux based alternative open source firmware for WLAN routers such as the fan-favorite Linksys WRT54GL. The flaw can give an attacker instant root access to the router merely by embedding an image with a specially crafted URL in a Web page (CSRF attack)." The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device.

Re:Standard Practices

[karnal]

Alright, I'm a n00b. I didn't read that second line fully before posting regarding the injection.

Re:Oh no!

[TheMeuge]

And the reason you cannot specify that only wired connections can access the management interface is what exactly?

This issue is way overblown. FUD

This only affects users who enabled remote web management which is turned off by default. Remote web management is a setting that lets you access and change settings over the Internet which would be stupid to turn on in the first place except under special circumstances (i.e., router was behind other routers and you needed to change settings remotely.

FURTHERMORE, it only affects http, NOT https.. and if you are configuring network infrastructure settings or router passwords without a secure connection over the Internet, you shouldn't be managing networks.

It is a security issue, but this is way overblown... It's not going to affect 99.999% of the userbase.. I wish whoever submitted this fud would have actually read the article or understood the problem.