Error Console [ABE WAN] message clarification?

Ask for help about NoScript, no registration needed to post
Post Reply
ABEfan

Error Console [ABE WAN] message clarification?

Post by ABEfan »

First, many thanks for yet more protection for routers.

The item "Exclusive protection against DNS-rebinding attacks targeted to routers, including WAN IP variants." in the changelog today:

I sort of understand the general idea that it's covering a hole in the ABE implementation, but I would like to verify that my install is behaving as expected.

I've read this thread
http://forums.informaction.com/viewtopi ... ng+routers
and this one
http://forums.informaction.com/viewtopi ... 43&start=0
The advice in Error Console is

Code: Select all

[ABE WAN] Detected WAN IP xxx.xx.xxx.xxx
Do I infer from this invocation of ABE that my router is vulnerable to the exploit or is every NS install getting added to the IP address pool simply as preparation for ABE to to its work?
- - btw, nice to have a very accessable trusted check of my IP - don't need to change focus from Fx to terminal to get it :-)
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
Top
User avatar
Giorgio Maone
Site Admin
Posts: 9524
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:
Contact Giorgio Maone

Re: Error Console [ABE WAN] message clarification?

Post by Giorgio Maone »

Do I infer from this invocation of ABE that my router is vulnerable to the exploit or is every NS install getting added to the IP address pool simply as preparation for ABE to to its work?
The latter.
However, if opening http://xxx.xxx.xxx.xxx in your browser leads you to your router's administrative console or to another sensitive web resource meant to be seen only from inside your LAN, you've got the kind of problem which the new feature is meant to repair.

Actually this makes me think that, since NoScript actually checks whether a web resource is accessible at that IP, an indicator of that could be added by default to the console logging as well...
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Top
ABEfan

Re: Error Console [ABE WAN] message clarification?

Post by ABEfan »

if opening http://xxx.xxx.xxx.xxx in your browser leads you to your router's administrative console or to another sensitive web resource meant to be seen only from inside your LAN,
No, it doesn't. Thanks for clearing that up. Your test idea sounds v good.
Relaxing now...until the next hole gets publicity... routers are a real headache for us home users.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
Top
Guest

Re: Error Console [ABE WAN] message clarification?

Post by Guest »

Giorgio Maone wrote:Actually this makes me think that, since NoScript actually checks whether a web resource is accessible at that IP, an indicator of that could be added by default to the console logging as well...
Well, how about a visible notification, asking the user whether they want/need it? I thought it was in your interest that your server doesn't fry. :P

Not to belittle your efforts, but I don't really need it since my router isn't vulnerable (in that it doesn't respond to requests from non-local IP addresses), and for users with a static IP address an equally static ABE rule would be just as secure.
Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.8) Gecko/20100722 Firefox/3.6
Top
User avatar
Giorgio Maone
Site Admin
Posts: 9524
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:
Contact Giorgio Maone

Re: Error Console [ABE WAN] message clarification?

Post by Giorgio Maone »

Guest wrote: Well, how about a visible notification, asking the user whether they want/need it? I thought it was in your interest that your server doesn't fry. :P
Unfortunately many users wouldn't know the correct answer, see below ;)
Guest wrote: Not to belittle your efforts, but I don't really need it since my router isn't vulnerable (in that it doesn't respond to requests from non-local IP addresses)
In fact, the router not responding to requests from (intended as "coming from") non-local IP addresses doesn't make them less vulnerable.
The problem at hand is about those routers answering on (intended as "when requested on the") public WAN IP address assigned by your IP from your (local) address.
So, unless I didn't correctly understand your statement, you seem to be among those users who would have disabled it on a wrong assumption.
Guest wrote:and for users with a static IP address an equally static ABE rule would be just as secure.
With an additional effort on their part, and the need to learn how to write/edit an ABE rule...
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Top
Guest

Re: Error Console [ABE WAN] message clarification?

Post by Guest »

Giorgio Maone wrote:Unfortunately many users wouldn't know the correct answer, see below ;)
Maybe you could give them a nudge in the right direction by checking if anything answers on their WAN IP address first (which according to you already does happen).
Giorgio Maone wrote:In fact, the router not responding to requests from (intended as "coming from") non-local IP addresses doesn't make them less vulnerable.
The problem at hand is about those routers answering on (intended as "when requested on the") public WAN IP address assigned by your IP from your (local) address.
So, unless I didn't correctly understand your statement, you seem to be among those users who would have disabled it on a wrong assumption.
Er, well. Accessing the configuration page via the public WAN IP address doesn't work is what I'm saying.
Giorgio Maone wrote:With an additional effort on their part, and the need to learn how to write/edit an ABE rule...
True, I guess.
Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Top
Post Reply

Return to “NoScript Support”