Print a warning on the login screen if you are accessing the router by a non-local IP address (one not configured on the system) to warn about potential MITM attacks.

1 files changed, 20 insertions, 0 deletions

diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc
index b3cd6a6..0747452 100644
--- a/etc/inc/authgui.inc
+++ b/etc/inc/authgui.inc
@@ -163,6 +163,24 @@ function display_login_form() {
 		exit;
 	}
 
+/* Check against locally configured IP addresses, which will catch when someone 
+   port forwards WebGUI access from WAN to an internal IP on the router. */
+global $FilterIflist;
+$local_ip = false;
+if(strstr($_SERVER['HTTP_HOST'], ":")) {
+	$http_host_port = explode(":", $_SERVER['HTTP_HOST']);
+	$http_host = $http_host_port[0];
+} else {
+	$http_host = $_SERVER['HTTP_HOST'];
+}
+if (empty($FilterIflist)) {
+	require_once('filter.inc');
+	require_once('shaper.inc');
+	filter_generate_optcfg_array();
+}
+foreach ($FilterIflist as $iflist)
+	if($iflist['ip'] == $http_host)
+		$local_ip = true;
 ?>
 
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
@@ -198,6 +216,8 @@ function display_login_form() {
 	</head>
 	<body onload="page_load()">
 		<div id="login">
+			<?php if(is_ipaddr($http_host) && !$local_ip)
+				print_info_box(gettext("You are accessing this router by an IP address not configured locally, which may be forwarded by NAT or other means. <br/><br/>If you did not setup this forwarding, you may be the target of a man-in-the-middle attack.")); ?>
 			<form id="iform" name="login_iform" method="post" autocomplete="off" action="<?=$_SERVER['SCRIPT_NAME'];?>">
 				<h1></h1>
 				<div id="inputerrors"><?=$_SESSION['Login_Error'];?></div>