Full Disclosure: Re: NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF

Nmap Security Scanner
- Intro
- Ref Guide
- Install Guide
- Download
- Changelog
- Book
- Docs
Security Lists
- Nmap Hackers
- Nmap Dev
- Bugtraq
- Full Disclosure
- Pen Test
- Basics
- More
Security Tools
Site News
Advertising
About/Contact
Sponsors:

Re: NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF - SOS-11-011

From: Valdis.Kletnieks () vt edu
Date: Tue, 20 Sep 2011 08:06:30 -0400

On Tue, 20 Sep 2011 12:18:43 +1000, Lists said:

Basic authentication is used as the primary and only authentication 
mechanism for the administrator interface on the device. The basic 
authentication can be bypassed by sending a valid POST request to the 
device without sending any authentication header. The response from the 
device sends the user to another page that requests basic 
authentication, however at this point the request has already been 
processed.


The.. request.. has.. already.. been.. processed.  *facepalm*. ;)

The most obvious way to screw this up:

        if (request_not_validated())
                send_error_page();
        else
                execute_request();

and somebody forgot the 'else', making the execute a fall-through.
But how does something like that slip through basic testing?

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF - SOS-11-011 Lists (Sep 20)
- Re: NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF - SOS-11-011 Valdis . Kletnieks (Sep 20)