Audun Larsen
2011-12-29 22:01:15 UTC
Hi all,
Yesterday I was writing an article about [Cross Site Request
Forgery](1), and m0n0wall suddenly came to mind. You might think that
m0n0wall is not vulnerable because it's only accessible from the local
network, but this is not the case. Attacking m0n0wall this way would
be a smart approach (imho).
Anyway, to the point. Attached is a patch (should apply on the
freebsd8 branch) with a suggestion on how to protect m0n0wall from
CSRF attacks.
Note that I have only applied CSRF protection on index.php and
system.php just to display how it works. It would be easy to implement
on the rest of the pages and create a new patch if this method is
accepted.
I would walk you trough the changes in the patch:
webgui/fbegin.inc:
Display an error if the CSRF token was not accepted.
webgui/guiconfig.inc:
Add the $csrf_pages setting. Just an array containing pages that
should be protected from CSRF attacks.
Added the function rand_bytes() that is used to create slightly
better random data than just mt_rand().
webgui/auth.inc:
This is where the actual protection happens. If the page requested
is in the $csrf_pages array, we will check that the correct one time
token is supplied. If not, we simply unset() the $_POST array, and
display an error message.
This patch is not perfect and there are some things i will fix if this
patch is something you would like to commit:
- Tokens should only be valid once.
- Tokens should expire after one hour (or something).
(1) : http://en.wikipedia.org/wiki/Cross-site_request_forgery
Yesterday I was writing an article about [Cross Site Request
Forgery](1), and m0n0wall suddenly came to mind. You might think that
m0n0wall is not vulnerable because it's only accessible from the local
network, but this is not the case. Attacking m0n0wall this way would
be a smart approach (imho).
Anyway, to the point. Attached is a patch (should apply on the
freebsd8 branch) with a suggestion on how to protect m0n0wall from
CSRF attacks.
Note that I have only applied CSRF protection on index.php and
system.php just to display how it works. It would be easy to implement
on the rest of the pages and create a new patch if this method is
accepted.
I would walk you trough the changes in the patch:
webgui/fbegin.inc:
Display an error if the CSRF token was not accepted.
webgui/guiconfig.inc:
Add the $csrf_pages setting. Just an array containing pages that
should be protected from CSRF attacks.
Added the function rand_bytes() that is used to create slightly
better random data than just mt_rand().
webgui/auth.inc:
This is where the actual protection happens. If the page requested
is in the $csrf_pages array, we will check that the correct one time
token is supplied. If not, we simply unset() the $_POST array, and
display an error message.
This patch is not perfect and there are some things i will fix if this
patch is something you would like to commit:
- Tokens should only be valid once.
- Tokens should expire after one hour (or something).
(1) : http://en.wikipedia.org/wiki/Cross-site_request_forgery
--
Audun Larsen
Twitter: http://twitter.com/xqus
This email is: [ ] shareable [X] ask first [ ] private
Audun Larsen
Twitter: http://twitter.com/xqus
This email is: [ ] shareable [X] ask first [ ] private