Cross Site Action detected!

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3  Next
Author Message
DWolfman
DD-WRT Novice


Joined: 09 Aug 2008
Posts: 31

PostPosted: Wed May 05, 2010 3:37    Post subject: Reply with quote
I found a workaround, but only for Firefox for now.

There is an Add-On for Firefox called "No Referrer (Misspelled Referer)" which lets you configure per-site referrer blocking. I loaded it in Firefox and created a rule in it for anything that is on my LAN. Worked like a charm. :-)

So far nothing I can do about Chrome or IE, though. Looks like an "all or nothing" setting for them. And no "plug-ins" of any kind that I can find which will do it like the Firefox one. :-(

Oh well, I normally use Firefox anyway. Just would have preferred a workaround that was browser agnostic.
Sponsor
Terminator_48
DD-WRT Novice


Joined: 05 May 2010
Posts: 5
Location: Moritzburg, Germany

PostPosted: Thu May 06, 2010 12:16    Post subject: Reply with quote
Hi Dwolfman,

thank you for that add-on workaround for firefox. I'm verry happy now ...

regards
DWolfman
DD-WRT Novice


Joined: 09 Aug 2008
Posts: 31

PostPosted: Mon Sep 27, 2010 4:53    Post subject: Reply with quote
phuzi0n wrote:
Cross site scripting attacks happen from visiting sites with your own browser. If you browse the web and have an old build then you're vulnerable to the attack. It's very unlikely the devs will spend any time on this but if you want you can create a ticket for it.

http://svn.dd-wrt.com:8000/dd-wrt/timeline


And something did come of my ticket, though I didn't see it until now.

http://svn.dd-wrt.com:8000/dd-wrt/ticket/1483

Looks like we get the option to disable it by entering a NVRAM variable. Thanks guys!
kilimats
DD-WRT Novice


Joined: 18 Feb 2011
Posts: 5

PostPosted: Fri Feb 18, 2011 16:56    Post subject: Reply with quote
[quote="DWolfman"]
phuzi0n wrote:

And something did come of my ticket, though I didn't see it until now.

http://svn.dd-wrt.com:8000/dd-wrt/ticket/1483

Looks like we get the option to disable it by entering a NVRAM variable. Thanks guys!


Hi DWolfman

I need to disable the "Cross Site Action detected!" on my DD-WRT. where do i need to enter the NVRAM variable and what is the variable code? the link you posted is no longer valid

I am getting this "Cross Site Action detected!" when i FRAME REDIRECT a domain to my DD-WRT webserver. Only solution i found was to switch from FRAME REDIRECT to HTTP REDIRECT but the URL shown in the address bar become the DynDNS.org address so thats not really a solution :(

Let me know if you can help, thanks a lot !
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Fri Feb 18, 2011 17:38    Post subject: Reply with quote
http://svn.dd-wrt.com:8000/ticket/1483

TRAC URL changed.

redhawk

_________________
The only stupid question....is the unasked one.
kilimats
DD-WRT Novice


Joined: 18 Feb 2011
Posts: 5

PostPosted: Fri Feb 18, 2011 18:32    Post subject: Reply with quote
Thanks redhawk0

I made the change, rebooted the router and made sure the config was still running by doing:

nvram get no_crossdetect
1

However, when I load the website using FRAME redirect, i still get the red screen: Cross Site Action detected!

Any idea what i am missing ?

My goal is to host my website on the DD-WRT and have my registrar FRAME redirect the domain name to the dyndns domain which point to my dynamic IP. Like I said earlier, when i set HTTP redirect on the registrar control panel, it works fine but the url in the address bar is the one from Dyndns, not the original domain Sad
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Feb 18, 2011 18:40    Post subject: Reply with quote
You need build 14962 or higher as indicated in the ticket.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
kilimats
DD-WRT Novice


Joined: 18 Feb 2011
Posts: 5

PostPosted: Fri Feb 18, 2011 18:50    Post subject: Reply with quote
I have a Buffalo WZR-HP-G300NH router and the latest version shown in the router database is build 14896

how can i download this newer version and will it work with my router?
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Feb 18, 2011 19:31    Post subject: Reply with quote
You should read the build threads in the Atheros forum to find out other users experiences with each build but you can find all beta builds here:

ftp://dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
DWolfman
DD-WRT Novice


Joined: 09 Aug 2008
Posts: 31

PostPosted: Sat May 07, 2011 16:50    Post subject: Reply with quote
phuzi0n wrote:
You need build 14962 or higher as indicated in the ticket.


Finally got around to trying this out. Loaded build 15962 of Brainslayer's builds to my WRT54G v8. Set the no_crossdetect to 1 like it says in my bug report, rebooted the router and closed my browser, then reopened the browser and went through my server's web page link. It does not work. I still get the error page.

The web page I have in my server is simply using plain HTML 3.2 code with just an href statement for the URL. Standard non-frame link in a web page.

Would it be best to reopen bug 1483 or just make a new one?
Terminator_48
DD-WRT Novice


Joined: 05 May 2010
Posts: 5
Location: Moritzburg, Germany

PostPosted: Tue Jun 07, 2011 8:09    Post subject: Cross Site Action detected! Reply with quote
I have found:
http://board.unite.ws/board3-hilfe-support/board17-tutorials/board57-security/784-no-referer-bei-firefox-aktivieren-googles-ip-sammelwut-umgehen/

Firefox 4 about:config
network.http.sendRefererHeader=0

It works on: DD-WRT v24-sp2 (10/10/09) vpn - build 13064
It seems like no other problems.

Regards
DWolfman
DD-WRT Novice


Joined: 09 Aug 2008
Posts: 31

PostPosted: Thu Sep 01, 2011 20:11    Post subject: Reply with quote
Came back to check on this thread after a while. Still not working for me with build 15962 in my router. Sad

Do I need to reopen the bug ticket?

I'll try some more recent beta builds if need be.
DWolfman
DD-WRT Novice


Joined: 09 Aug 2008
Posts: 31

PostPosted: Thu Sep 01, 2011 20:12    Post subject: Re: Cross Site Action detected! Reply with quote
Terminator_48 wrote:
I have found:
http://board.unite.ws/board3-hilfe-support/board17-tutorials/board57-security/784-no-referer-bei-firefox-aktivieren-googles-ip-sammelwut-umgehen/

Firefox 4 about:config
network.http.sendRefererHeader=0

It works on: DD-WRT v24-sp2 (10/10/09) vpn - build 13064
It seems like no other problems.

Regards


Another workaround, thanks. I'm still using the one I found in Firefox, but keep getting reminded that this nvram variable doesn't work when I use IE or Chrome. Sad
DWolfman
DD-WRT Novice


Joined: 09 Aug 2008
Posts: 31

PostPosted: Mon Oct 24, 2011 17:00    Post subject: Reply with quote
Just an FYI, it appears this is working again in 17201. I decided to try the last build available to see if it would work, and the setting does work.

As a bonus, the router is much more stable now. Previously, I had it restarting itself every day, because it would seem to "lose it's mind" after only 2 or 3 days of average usage (downloading a couple Linux ISOs, updating my local repositories, a little torrenting, along with typical web browsing). When it "lost it's mind", browsing would get sluggish and the router's web interface would usually not come up, or would appear but without the CSS info so it looked like crap. When it got like that, I'd have to power cycle it to get it back.

Here's the current uptime, straight out of the web interface: up 14 days, 6:59

I'd say that's a little more stable, since torrenting seemed to be this little WRT54G v8 router's main weakness (it lasted longer if I didn't do that). Plus I've pulled in a LOT of stuff over the last two weeks, as the traffic meter shows:

Total Traffic
Incoming (MBytes) 89692
Outgoing (MBytes) 8481

About 1/3rd of that was from some torrent downloads I had running, some going the whole time it's been up! Smile
kilimats
DD-WRT Novice


Joined: 18 Feb 2011
Posts: 5

PostPosted: Tue Oct 25, 2011 1:18    Post subject: Reply with quote
Forgot to update this thread.

I upgraded the firmware to "DD-WRT v24-sp2 (10/02/10) std - build 15334" and the issue was resolved

Thx for the help guys
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum