OpenVPN Server Got CSRF Hole

OpenVPN Technologies has announced that it has closed a cross-site request forgery (CSRF) in the OpenVPN Access Server admin interface. OpenVPN Access Server is a commercial implementation of OpenVPN from the company that produces the open source OpenVPN package. The flaw exists in version 1.8.4, and may well be present in earlier versions. It is fixed in version 1.8.5, which is available for download.

The problem could potentially be exploited if an administrative user was visiting a maliciously crafted web site while also having the Admin web interface open at the same time, so that an attacker could modify settings in the Admin interface. A security researcher had found that it was possible to easily hijack the session and, for example, create new VPN client accounts.

via The-H

Wagiman Wiryosukiro

Petani Sistem Informasi, tukang las plugin & themes Wordpress. Co-Founder SistemInformasi.biz. Saat ini aktif sebagai Developer & kontributor di OpenMandriva Linux.

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: