dd-wrt root vulnerability

Jamon Camisso jamon.camisso-H217xnMUJC0sA/PxXw9srA at public.gmane.org
Wed Jul 22 02:07:50 UTC 2009


theregister has an article about a root vulnerability on recent dd-wrt 
builds:

http://www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/

 From the article:

"The bug resides in DD-WRT's hyper text transfer protocol daemon, which 
runs as root. Because the httpd doesn't sanitize user-supplied input, 
it's vulnerable to remote command injection. While the httpd doesn't 
listen on the outbound interface, attackers can easily access it using 
CSRF (cross-site request forgery) techniques."

For people who have enabled remote httpd access, it's probably much worse.

Jamon
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list