Gat3Way

Name of the Vulnerable Software and Affected Versions: DD-WRT versions 24 sp1 and earlier Description: The issue allows remote attackers to hijack the authentication of administrators for various requests, including executing arbitrary commands via the `ping ip` parameter, changing administrative credentials via the `http username` and `http passwd` parameters, enabling remote administration via the `remote management` parameter, and configuring port forwarding via certain `from`, `to`, `ip`, and `pro` parameters. Recommendations: For DD-WRT versions 24 sp1 and earlier, consider disabling the apply.cgi module until a patch is available to prevent exploitation of the CSRF vulnerabilities. Restrict access to the administrative interface to minimize the risk of unauthorized changes. Avoid using the vulnerable parameters, such as `ping ip`, `http username`, `http passwd`, `remote management`, `from`, `to`, `ip`, and `pro`, in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: DD-WRT version 24 sp2 Description: The issue is related to multiple cross-site request forgery (CSRF) vulnerabilities in the apply.cgi component. These vulnerabilities allow remote attackers to hijack the authentication of administrators for various requests, including executing arbitrary commands via the `ping ip` parameter, changing administrative credentials via the `http username` and `http passwd` parameters, enabling remote administration via the `remote management` parameter, and configuring port forwarding via certain `from`, `to`, `ip`, and `pro` parameters. This issue exists due to a weak anti-CSRF fix implemented in version 24 sp2. Recommendations: For DD-WRT version 24 sp2, consider disabling the apply.cgi component or restricting access to it until a proper fix is available. As a temporary workaround, avoid using the vulnerable parameters, such as `ping ip`, `http username`, `http passwd`, `remote management`, `from`, `to`, `ip`, and `pro`, in the apply.cgi component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DD-WRT version 24 sp1 **Description** The issue concerns the management GUI in DD-WRT, where the httpd.c in httpd does not require administrative authentication for programs under cgi-bin/. This allows remote attackers to change settings via HTTP requests. **Recommendations** For DD-WRT version 24 sp1, consider restricting access to the cgi-bin/ directory until a patch is available. As a temporary workaround, limit the execution of programs under cgi-bin/ to only those that are necessary for the system's operation.

**Name of the Vulnerable Software and Affected Versions** ProFTPD Server versions 1.3.1 through 1.3.2rc2 proftpd-doc (affected versions not specified) proftpd-mod-pgsql (affected versions not specified) proftpd-mod-mysql (affected versions not specified) proftpd (affected versions not specified) proftpd-mod-ldap (affected versions not specified) proftpd-basic (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the `username`, which introduces a "'" (single quote) character during variable substitution by mod sql. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation of the vulnerabilities can be carried out remotely. **Recommendations** For ProFTPD Server versions 1.3.1 through 1.3.2rc2, consider disabling the mod sql module until a patch is available. For proftpd-doc, proftpd-mod-pgsql, proftpd-mod-mysql, proftpd, proftpd-mod-ldap, and proftpd-basic, at the moment, there is no information about a newer version that contains a fix for this vulnerability.