Gaping Hole in DD-WRT: Router Software with Back Door

Jul 24, 2009

The free router software DD-WRT opens in its version 24(SP1) a huge door due to a vulnerability in its HTTP daemon server.

The problem with the DD-WRT router software is the httpd process doesn't sufficiently test user input and, therefore, is vulnerable to cross-site request forgery (CSRF) attacks.

Takeover of the systems requires only a shell-created crafted link that brings the user to a posting that does the damage without even needing an authenticated session. SecurityFocus has the serious bug still listed as unresolved. The DD-WRT forum meanwhile points to bug fixes for the large number of router models affected.

Related content

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News