Sky D-Link potential vulnerability

My Sky D-Link DSL-2640S has a thing whereby if I log in to the router's web interface with Internet Explorer, I can immediately gain full access to the router's web interface with Firefox without needing a user/pass (Firefox was fully flushed of cookies, temp files and saved passwords prior).

This also means if the web browser is closed, there is a 5 minute window for someone else to access the computer, and subsequently the router, without needing the router's password.

Essentially, logging in to the router's web interface with a browser grants unauthenticated access from that computer's IP address for a default of 5 minutes, or until the logout link is clicked. As I understand it, this differs from "normal" router behaviour.

I wonder what people's thoughts on this are. It seems to represent a cross-site scripting vulnerability, or a router security vulnerability where a PC is sited in a shared PC environment?

Edited by Oliver341 (Mon 16-Jul-12 18:12:33)

Plenty of sites where if you do not press logout, and reopen a browser window you are still logged in.

Or am I missing something?

In reply to a post by MrSaffron:

Plenty of sites where if you do not press logout, and reopen a browser window you are still logged in.

That's cookie-based auth.

I very much doubt if you switched to a different browser (which you don't normally use) you would still be logged in.

This is just from the pc where you logged in within that 5 minute time frame the first time on the internal network right?

Blackmesa8

In reply to a post by blackmesa8:

This is just from the pc where you logged in within that 5 minute time frame the first time on the internal network right?

Correct. Upon logging in, the IP address of the connecting device (e.g. 192.168.0.2) is granted unauthenticated access to the router for a (default) period of 5 minutes (or until the logout button is clicked). Any application/script (malicious or otherwise) can go straight in and change settings (although mercifully DNS servers cannot be changed because Sky routers don't allow it!). The router's password is not required.

Edited by Oliver341 (Mon 16-Jul-12 19:47:00)

I don't see it as an issue.

You login to router from computer A, don't logout so its no surprise that you can still access it from computer A (and if i recall all other computers are locked out during this time)

This is all on the local network and so i don't expect the same restrictions as I would see on the internet.

Ok as long as its from the same device thats not so bad. I can see how it might be annoying but i can live with it specially as its only for 5 minutes.

blackmesa8

In reply to a post by blackmesa8:

Ok as long as its from the same device thats not so bad. I can see how it might be annoying but i can live with it specially as its only for 5 minutes.

Normally 5 minutes, but something logging in constantly (e.g. Routerstats) will leave the door open to the router for that IP address indefinitely.

Something to note for users of Routerstats.