CSRF Vulnerabilities & pfSense



  • Hey Guys,

    I just read this on Slashdot:

    http://www.darkreading.com/document.asp?doc_id=127731&WT.svl=news1_1

    Of course this begs the question, is the CSRF attack vector applicable to the pfSense GUI?  If not, what steps have been taken to prevent manipulation of the GUI by foreign sites?

    Thanks for the great firewall!
    Martin



  • @martin.beauchamp:

    Of course this begs the question, is the CSRF attack vector applicable to the pfSense GUI?

    Yes. It's extremely unlikely to be exploited though. An attacker would have to know the IP of the box (likely private), know it's running pfsense, you would have to already be authenticated to it, and they would have to convince you to go to a page.

    With the authentication changes coming in 1.3, this will be even more difficult to accomplish, and we may make other changes (like using POST instead of GET) to make this more difficult still.



  • Hmm, I can imagine a scenario where most of those prerequisites are in place.

    Someone hacks slashdot.org, digg.com, engadget.com, etc. and there's a pop-up that goes unnoticed which stays open for the whole day and waits for the user to authenticate to any one of several management interfaces (pfSense, Checkpoint, Cisco, etc.).

    As network admins, maybe we should all be using a completely separate web browser for interfaces that manage valuable resources?

    In any event, I'm glad that you and the other pfSense devs are aware of this and are thinking of ways to mitigate the risk.

    Martin



  • @martin.beauchamp:

    Hmm, I can imagine a scenario where most of those prerequisites are in place.

    Someone hacks slashdot.org, digg.com, engadget.com, etc. and there's a pop-up that goes unnoticed which stays open for the whole day and waits for the user to authenticate to any one of several management interfaces (pfSense, Checkpoint, Cisco, etc.).

    It's not that simple. You can't wait for it to happen, as there isn't any way for a malicious page to know what you're authenticated to, without a browser security issue. For something as you describe to be effective, you have to be already authenticated, and they would have to know the IP you use to manage your system. If you assume most are probably using the default 192.168.1.1, you could potentially hit a decent number of users. Most probably aren't already authenticated so it would pop up a username/password box.

    @martin.beauchamp:

    As network admins, maybe we should all be using a completely separate web browser for interfaces that manage valuable resources?

    Absolutely. That's the only guaranteed protection against something of this nature.



  • Or use a vmware instance running firefox on some sort of livecd.


Log in to reply