Cross-site request forgery (CSRF) vulnerability in the web management interface in httpd/cgi-bin/shutdown.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to hijack the authentication of administrators for requests that perform a reboot via a request to cgi-bin/shutdown.cgi.
Smoothwall Express 3.1 and earlier is vulnerable to a Cross-Site Request Forgery (CSRF) attack, allowing attackers to remotely reboot the system by tricking an authenticated administrator into clicking a malicious link. This vulnerability can lead to denial-of-service (DoS) and potential system downtime, impacting network availability and potentially causing data loss if unsaved configurations are present.
Step 1: Victim Authentication: An administrator is logged into the Smoothwall Express web management interface.
Step 2: Attacker Crafting: The attacker crafts a malicious HTML page or email containing a hidden form or an <img> tag that, when loaded, sends a request to cgi-bin/shutdown.cgi.
Step 3: Payload Delivery: The attacker lures the administrator to visit the malicious page or open the malicious email.
Step 4: Request Forgery: The administrator's browser, still authenticated to Smoothwall, automatically sends a request to cgi-bin/shutdown.cgi to reboot the system. The request appears to originate from the administrator's browser, but it's actually initiated by the attacker's malicious code.
Step 5: System Reboot: The shutdown.cgi script, lacking CSRF protection, processes the request and initiates a system reboot, causing a denial-of-service condition.
The vulnerability stems from a lack of CSRF protection in the shutdown.cgi script within the Smoothwall Express web management interface. The script, responsible for initiating a system reboot, does not validate the origin of the request. This means an attacker can craft a malicious HTML page or email containing a hidden form or a simple <img> tag that, when loaded by an authenticated administrator, triggers the reboot. The root cause is the absence of any anti-CSRF tokens or origin validation (e.g., checking the Referer header) in the shutdown.cgi script before executing the reboot command. This allows an attacker to forge a request that appears to originate from the legitimate Smoothwall management interface.