Linksys WRT110 Cross-Site Request Forgery and Command Injection Vulnerability

Linksys WRT110 Cross-Site Request Forgery and Command Injection Vulnerability

Release date:
Updated on: 2013-07-16

Affected Systems:
Linksys WRT110
Description:
--------------------------------------------------------------------------------
Bugtraq id: 61151
CVE (CAN) ID: CVE-2013-3568

Linksys WRT110 is a wireless router product.

Linksys WRT110 has the root shell command injection vulnerability that is exploited by cross-site Request Forgery. This vulnerability occurs because the Web interface does not effectively filter ping targets and lacks the csrf token. Remote attackers can exploit this vulnerability to execute certain administrator operations and execute arbitrary shell commands as root.

<* Source: Craig Young (@ CraigTweets)

Link: http://seclists.org/bugtraq/2013/Jul/78
Http://www.securityfocus.com/archive/1/527226
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Linksys
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.linksys.com