Multiple cross-site request forgery (CSRF) vulnerabilities in Smoothwall Express 3.1 and 3.0 SP3 allow remote attackers to hijack the authentication of administrators for requests that change the (1) admin or (2) dial password via a request to httpd/cgi-bin/changepw.cgi.
Smoothwall Express versions 3.0 SP3 and 3.1 are vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing attackers to remotely hijack administrator accounts. This vulnerability enables attackers to change administrator passwords, granting them unauthorized access to the firewall's configuration and potentially the entire network. Successful exploitation can lead to complete system compromise and data exfiltration.
Step 1: Victim Login: The administrator logs into the Smoothwall Express web interface.
Step 2: Attacker Crafting: The attacker crafts a malicious HTML page or email containing a hidden form. This form targets the httpd/cgi-bin/changepw.cgi script with the desired new password.
Step 3: Payload Delivery: The attacker lures the administrator to open the malicious HTML page or email (e.g., via phishing).
Step 4: Automatic Request: When the page loads, the hidden form automatically submits a POST request to changepw.cgi with the attacker-controlled password.
Step 5: Password Change: Because the request originates from the administrator's browser and lacks CSRF protection, the Smoothwall server processes the request and changes the administrator's password.
Step 6: Account Takeover: The attacker now knows the new administrator password and can log in to the Smoothwall interface, gaining full control.
The vulnerability stems from a lack of CSRF protection in the changepw.cgi script. This script, responsible for changing administrator and dial-up passwords, does not validate the origin of the request. Specifically, it fails to implement any form of CSRF token validation or origin checks (e.g., checking the Referer header). This allows an attacker to craft a malicious HTML page or email containing a hidden form that, when loaded by a logged-in administrator, automatically submits a request to changepw.cgi with the attacker's chosen password. The server, believing the request originates from the legitimate administrator, processes the password change, effectively granting the attacker control of the administrator account. The root cause is a missing security check in the form of a CSRF token or other validation mechanism, allowing unauthorized password changes.