Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    M0n0wall Multiple Cross Site Request Forgery Vulnerabilities

    Off-Topic & Non-Support Discussion
    4
    5
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dhatz
      last edited by

      M0n0wall Multiple Cross Site Request Forgery Vulnerabilities 27 Dec. 2012

      Summary
      m0n0wall is prone to multiple cross-site request-forgery vulnerabilities because it fails to properly validate POST requests.

      Vulnerable Systems:  * m0n0wall 1.33

      Attackers can exploit these issues to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible.

      An attacker can exploit these issues by enticing an unsuspecting victim to follow a malicious URI.

      The following exploit codes are available:
      http://downloads.securityfocus.com/vulnerabilities/exploits/56844.html.txt

      Disclosure Timeline:
      Published: December 06 2012

      1 Reply Last reply Reply Quote 0
      • G
        gderf
        last edited by

        Wasn't this fixed with the release of m0n0wall 1.34 on 11/12/2012?

        1 Reply Last reply Reply Quote 0
        • D
          dhatz
          last edited by

          Indeed it seems the XSS vulnerability issues have been fixed, according to http://m0n0.ch/

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            These may be ones we've already fixed in 2.0.2/2.1

            They look familiar.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              We fixed m0n0wall's CSRF issues over 2 years ago with csrfmagic, same thing they implemented recently. 2.0.2 fixed a couple that were found more recently.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post