lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 15 Jan 2008 13:14:03 -0500
From: Valdis.Kletnieks@...edu
To: Jan Heisterkamp <janheisterkamp@....de>
Cc: bugtraq@...urityfocus.com
Subject: Re: Linksys WRT54 GL - Session riding (CSRF)

On Mon, 14 Jan 2008 12:58:17 CST, Jan Heisterkamp said:
> > A malicious link executing unnoticed by the administrator may open the firewall.
> 
> The catch is that this exploit don't work unnoticed, because the admin 
> get notification in the browser that there has occured an error with the 
> cerificate ["Unable to verify the identity of Linksys as a trusted 
> site"] and he has explicity allow it. In other words first he has to 
> allow to be attacked...

A very high percentage of Joe Sixpack "sysadmins" sitting at home surfing
for Nascar and pr0n will go "Yeah, whatever" and click OK anyhow.  A long time
ago, I stopped thinking that "User must click OK to scary-looking message"
was any sort of road bump for malware.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ