Cross Site Action detected!

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3  Next
Author Message
tipstir
DD-WRT User


Joined: 05 Nov 2007
Posts: 115
Location: USA

PostPosted: Wed Feb 04, 2009 6:09    Post subject: Cross Site Action detected! Reply with quote
400 Bad Request
Cross Site Action detected!


Pink background

How can I solve this with dd-wrt v24 sp2 on WHR-HP-G54.
If I don't use a web server and use file:// it works but if I use http://IP address and call-up object link I get that above. If I try to access DD-WRT Web Admin. Only on that not on other Web Guides or Web Admin for Access Point do I get this error. Now I have to click go and get into to admin.

_________________
Best Regards,
Tipstir

Routers/AP
EnGenius ESR-9850 1.00/1.12(DHCP)
EnGenius ESR-9850 1.00/1.09 (AP)
Belkin N+ F5D8235-4 v1000/1.01.28 (2x)
Dlink DIR-655 A3/1.32NAB03 Gig
Trendnet TEW-652BRP w/DIR-615 C1/3.11NA
Buffalo WHR-HP-G54 w/DD-WRT V24/SP2/7/09 (2X)
Sponsor
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Wed Feb 04, 2009 6:40    Post subject: Reply with quote
are you using some software which blocks or alters the http referer header? if so, disable it when trying to login to the router.
tipstir
DD-WRT User


Joined: 05 Nov 2007
Posts: 115
Location: USA

PostPosted: Wed Feb 04, 2009 16:18    Post subject: Reply with quote
I use a web server on Windows Server 2003 R2 Enterprise SP2. But I just did this:

file://///

If I do that from the browser which bypass the web server then I have drop down menu to access all Network Web embedded onto my intranet web site. I don't get that problem

If I use the web server (XSERVER)

http://host computer IP/alias/site name

Intranet site opens I click on the drop down menu for Router using DD-WRT then bang I get the http:\\ip address of the router and it's suppose to invoke the DD-WRT System Information Screen

400 Bad Request
Cross Site Action detected!

Nothing has been changed it worked under DIR-655 using their firmware but not under DD-WRT. I can still invoke it but I have to press goto get around it. Strange.

Firefox 3.06..

For the heck of it I just tested this under IE7 which I don't use. I sure enough it worked! But not under Firefox?

Anyone know why this Cross Site Action is only showing up on DD-WRT using Firefox. If I use Trendnet firmware Web Admin on it's TEW-654BRP it doesn't do this. Same for my Print Server Web Adm opens okay under Firefox.

_________________
Best Regards,
Tipstir

Routers/AP
EnGenius ESR-9850 1.00/1.12(DHCP)
EnGenius ESR-9850 1.00/1.09 (AP)
Belkin N+ F5D8235-4 v1000/1.01.28 (2x)
Dlink DIR-655 A3/1.32NAB03 Gig
Trendnet TEW-652BRP w/DIR-615 C1/3.11NA
Buffalo WHR-HP-G54 w/DD-WRT V24/SP2/7/09 (2X)
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Thu Feb 05, 2009 1:09    Post subject: Reply with quote
BrainSlayer recently added some code to help prevent cross site request forgeries. The behavior you are experiencing is intentional.

Check the host and referer fields with a network sniffer. My guess is that Firefox and IE are using different headers. It might be a bug in the web browser.
tipstir
DD-WRT User


Joined: 05 Nov 2007
Posts: 115
Location: USA

PostPosted: Thu Feb 05, 2009 19:37    Post subject: Reply with quote
soulstace wrote:
BrainSlayer recently added some code to help prevent cross site request forgeries. The behavior you are experiencing is intentional.

Check the host and referer fields with a network sniffer. My guess is that Firefox and IE are using different headers. It might be a bug in the web browser.


Thanks! Sounds like that's the problem..

_________________
Best Regards,
Tipstir

Routers/AP
EnGenius ESR-9850 1.00/1.12(DHCP)
EnGenius ESR-9850 1.00/1.09 (AP)
Belkin N+ F5D8235-4 v1000/1.01.28 (2x)
Dlink DIR-655 A3/1.32NAB03 Gig
Trendnet TEW-652BRP w/DIR-615 C1/3.11NA
Buffalo WHR-HP-G54 w/DD-WRT V24/SP2/7/09 (2X)
freonchill
DD-WRT Guru


Joined: 17 Jul 2006
Posts: 2055

PostPosted: Thu Feb 05, 2009 19:38    Post subject: Reply with quote
what version of firefox are you using that you are having this problem with?
_________________
2x WRT54G v5, 2x WRT54G v2
1x WRT54G-TM
1x WRT54GL
1x WRT54G2 v1
2x BUFFALO WHR-G54S
2x BUFFALO WHR-G300N v2
1x BUFFLOW WHR-HP-G300N
1x La Fonera
FON Client Bridge tutorial
tipstir
DD-WRT User


Joined: 05 Nov 2007
Posts: 115
Location: USA

PostPosted: Wed Feb 18, 2009 7:12    Post subject: Reply with quote
freonchill wrote:
what version of firefox are you using that you are having this problem with?


I still get it.. First with 3.05 and now with 3.06. But not with IE 6 or 7. But it's strange On all Windows XP Pro SP3 I get it, but not with Windows Server 2003 R2 Enterprise Edition SP2. That uses FF 3.06 loads okay.

_________________
Best Regards,
Tipstir

Routers/AP
EnGenius ESR-9850 1.00/1.12(DHCP)
EnGenius ESR-9850 1.00/1.09 (AP)
Belkin N+ F5D8235-4 v1000/1.01.28 (2x)
Dlink DIR-655 A3/1.32NAB03 Gig
Trendnet TEW-652BRP w/DIR-615 C1/3.11NA
Buffalo WHR-HP-G54 w/DD-WRT V24/SP2/7/09 (2X)
DWolfman
DD-WRT Novice


Joined: 09 Aug 2008
Posts: 31

PostPosted: Sun May 02, 2010 23:53    Post subject: Reply with quote
soulstace wrote:
BrainSlayer recently added some code to help prevent cross site request forgeries. The behavior you are experiencing is intentional.

Check the host and referer fields with a network sniffer. My guess is that Firefox and IE are using different headers. It might be a bug in the web browser.


I get this now that I've loaded a more recent build (see end of post for model and DD-WRT version). Is there a way to turn it off?

I have Chrome, Firefox, and IE installed, it does this with all three browsers, the way I used to access it with build 10020.

I have a Linux server with Apache serving up local web pages for my in-house LAN. It's at server.dwolfman.lan, and I have DNS and other items set up to point router.dwolfman.lan to the WRT54G. The main index page in Apache has a set of links, including one to the router.

On older firmwares, I could click that link and get the login prompt for the router. With this firmware, I get this same 400 error page. All I have to do is click in the address bar of whatever browser I'm using, and hit enter, then all is good.

It's really annoying, and I would like the old functionality back if at all possible.

Router info:
Router Model Linksys WRT54Gv8
Firmware Version DD-WRT v24-sp2 (10/10/09) micro - build 13064
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Mon May 03, 2010 0:03    Post subject: Reply with quote
It's won't be going away any time soon and old builds that don't have it are vulnerable to some serious attacks.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
DWolfman
DD-WRT Novice


Joined: 09 Aug 2008
Posts: 31

PostPosted: Tue May 04, 2010 4:40    Post subject: Reply with quote
phuzi0n wrote:
It's won't be going away any time soon and old builds that don't have it are vulnerable to some serious attacks.

So, any possibility that this can be disabled for those that want the old functionality, like me? Or maybe to have the option to disable it added to future builds? My router is not configured for external access to the config pages, so I'm not worried about anyone trying to hack it.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Tue May 04, 2010 6:22    Post subject: Reply with quote
Cross site scripting attacks happen from visiting sites with your own browser. If you browse the web and have an old build then you're vulnerable to the attack. It's very unlikely the devs will spend any time on this but if you want you can create a ticket for it.

http://svn.dd-wrt.com:8000/dd-wrt/timeline

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
DWolfman
DD-WRT Novice


Joined: 09 Aug 2008
Posts: 31

PostPosted: Tue May 04, 2010 15:10    Post subject: Reply with quote
phuzi0n wrote:
Cross site scripting attacks happen from visiting sites with your own browser. If you browse the web and have an old build then you're vulnerable to the attack. It's very unlikely the devs will spend any time on this but if you want you can create a ticket for it.

http://svn.dd-wrt.com:8000/dd-wrt/timeline


I'm tired of being "coddled" by others who think they know better than me on how I should be browsing the web, without giving me any say in how it should be done. I don't visit sites that do that, and even if I did accidentally hit one I've got all my browsing going through multiple layers of web proxies I've configured to filter and fix that kind of stuff for me. 10+ years of web browsing, with the last 6+ of those with this web proxy setup, and no issues, EVER.

I either need a way to turn this off, or a workaround. Period.

I saw mention of the referrer fields possibly being why this is happening. Is there a way I can fix that through the browser, web server on my server box, etc? I'd prefer a fix that doesn't involve manually configuring the web browser, since I have 4+ computers, each with multiple OSes installed and multiple browsers set up in each OS. That would be a fairly large job that I would like to avoid.

I'll think about the ticket, but considering your statement I would rather spend my time on something useful and not potentially wasteful, if at all possible. If that means putting in a workaround, then so be it.
DWolfman
DD-WRT Novice


Joined: 09 Aug 2008
Posts: 31

PostPosted: Tue May 04, 2010 15:28    Post subject: Reply with quote
Sorry if I came across a bit harsh, just think this "feature" should be handled differently.

I went ahead and submitted a ticket, but would still like to know if there is some way to work around it.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Tue May 04, 2010 19:56    Post subject: Reply with quote
If you can have your proxies strip out the referrer then that will fix it. Even though it's not a good way to fix the problem, it's the easiest way and IMO it's not really worth the developers time to make it any better.

ps. cross site scripting attacks can happen on any site. The only way to fully avoid it is to disable scripting in your browser.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
DWolfman
DD-WRT Novice


Joined: 09 Aug 2008
Posts: 31

PostPosted: Wed May 05, 2010 2:25    Post subject: Reply with quote
phuzi0n wrote:
If you can have your proxies strip out the referrer then that will fix it. Even though it's not a good way to fix the problem, it's the easiest way and IMO it's not really worth the developers time to make it any better.

Well, the proxies only come into play when accessing sites outside my network. I have a proxy pac file set up for automatic proxy configuration of the browser. In the pac file I have it set to not use the proxy for LAN addresses. But it is set up to strip out the referrer field on sites unless I've listed to exclude a specific site.

Is it possible to set up the root page in Apache to not trigger the referrer? I usually go to that page first, then click the link I set up there to go to the router.

Quote:
ps. cross site scripting attacks can happen on any site. The only way to fully avoid it is to disable scripting in your browser.

I'd say my proxies are already configured to filter it out since I've never had any problems like that, and I've even tried going to a couple known-bad sites when I was testing the setup.
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum