In association with heise online

10 May 2013, 17:11

CSRF hole in OpenVPN Access Server

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

OpenVPN Tech logo OpenVPN Technologies has announced that it has closed a cross-site request forgery (CSRF) in the OpenVPN Access Server admin interface. OpenVPN Access Server is a commercial implementation of OpenVPN from the company that produces the open source OpenVPN package. The flaw exists in version 1.8.4, and may well be present in earlier versions. It is fixed in version 1.8.5, which is available for download.

The problem could potentially be exploited if an administrative user was visiting a maliciously crafted web site while also having the Admin web interface open at the same time, so that an attacker could modify settings in the Admin interface. A security researcher had found that it was possible to easily hijack the session and, for example, create new VPN client accounts.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit