[ previous ] [ next ] [ threads ]
 
 From:  Audun Larsen <larsen at xqus dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Patch: m0n0wall CSRF
 Date:  Thu, 29 Dec 2011 23:01:15 +0100
Hi all,

Yesterday I was writing an article about [Cross Site Request
Forgery](1), and m0n0wall suddenly came to mind. You might think that
m0n0wall is not vulnerable because it's only accessible from the local
network, but this is not the case. Attacking m0n0wall this way would
be a smart approach (imho).

Anyway, to the point. Attached is a patch (should apply on the
freebsd8 branch) with a suggestion on how to protect m0n0wall from
CSRF attacks.

Note that I have only applied CSRF protection on index.php and
system.php just to display how it works. It would be easy to implement
on the rest of the pages and create a new patch if this method is
accepted.

I would walk you trough the changes in the patch:

webgui/fbegin.inc:
  Display an error if the CSRF token was not accepted.

webgui/guiconfig.inc:
  Add the $csrf_pages setting. Just an array containing pages that
should be protected from CSRF attacks.
  Added the function rand_bytes() that is used to create slightly
better random data than just mt_rand().

webgui/auth.inc:
  This is where the actual protection happens. If the page requested
is in the $csrf_pages array, we will check that the correct one time
token is supplied. If not, we simply unset() the $_POST array, and
display an error message.

This patch is not perfect and there are some things i will fix if this
patch is something you would like to commit:
- Tokens should only be valid once.
- Tokens should expire after one hour (or something).

(1) : http://en.wikipedia.org/wiki/Cross-site_request_forgery

-- 
Audun Larsen

Twitter: http://twitter.com/xqus