View Issue Details

IDProjectCategoryView StatusLast Update
0001025Main CAcert Websitemiscpublic2015-08-09 21:06
ReporterUli60Assigned ToNEOatNHNG 
PrioritynormalSeverityminorReproducibilityalways
Status needs workResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0001025: Domain Dispute strange behaviour / Domain Dispute issue
DescriptionThe problem is taken from ticket [s20120322.56 ] Domain dispute fallout?

A few days ago I used the "Domain Dispute" tab on the CAcert.org website
to "take" domain.tld away from User2, as I was
under a time crunch to get some certs rolled. Before I did this User2
and I were unable to connect to arrange this some other way.

While this got the domain.tld account transferred to me,
User2 tells me it also messed up the other certs for domains he manages
(both domain2.tld for us and several of his personal domains). If I
understood correctly, it also prevented him from logging in to his
cacert account.

Do I understand correctly?

If this is the case, did I miss a warning about the effect my clicking
on "Domain dispute" would have? My only goal was to get
domain.tld transferred to me so I could issue some certs,
and I would have never clicked on that link if I had known that one of
the consequences of that action would have been to affect User2's CAcert
account or the other certificates he had been issued.
Additional Informationbug# generated for analyze and to reproduce reported problem
TagsNo tags attached.
Reviewed byNEOatNHNG, BenBE
Test Instructions

Relationships

related to 0000932 needs testingBenBE test.cacert.org Get UTF8 failured email subject 
related to 0001037 new Main CAcert Website Message text is wrong for disputing an primary email address from an account with a domain inside of the account 
related to 0001117 new Main CAcert Website Outsource Disputes Text /disputes.php?id=0 to wiki 
related to 0001026 needs workUli60 Main CAcert Website Server Certificate was revoked but not by the user 
related to 0001104 confirmedINOPIAE Main CAcert Website Report Abuse not operative 
related to 0000893 closedINOPIAE Main CAcert Website Extend Delete account feature for support 

Activities

Uli60

2012-03-22 15:03

updater   ~0002887

pre-set
-------
user1
  email: user1@domain1.tld


user2
 email: user2@domain1.tld
   clientcerts: user2@domain1.tld
 domain: domain1.tld
   servercerts: cert1.domain1.tld
                 cert2.domain1.tld
 domain: sub1.domain1.tld fail
   servercerts: cert1.sub1.domain1.tld -
                 cert2.sub1.domain1.tld -
 domain: domain2.tld
   servercerts: cert1.domain2.tld
                cert2.domain2.tld
 domain: sub1.domain2.tld fail
   servercerts: cert1.sub1.domain2.tld -
                cert2.sub1.domain2.tld -

test procedure
--------------
created user1 and user2
both verified
both accounts assured upto 100 assurance points
loggedin user2
create client cert
adding domain domain1.com
confirm email probe (postmaster@), under ca-mgr1 under bug1025.user2 account email

adding domain sub1.domain1.tld
email probe to: postmaster@sub1.domain1.tld results in error:
"Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid
Failed to make a connection to the mail server"
Bug? Fallback to postmaster@domain1.tld is impossible

adding domain domain2.de
confirm email probe (postmaster@), under ca-mgr1 under bug1025.user2 account email

adding domain sub1.domain2.tld
email probe to: postmaster@sub1.domain2.tld results in error:
"Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid
Failed to make a connection to the mail server"

sub domains failed email probe, cannot be tested

creating 4 server certs private keys and csr's with openssl,
2 each for domain1.tld and domain2.tld

signing all 4 csr's with class3 testserver subroot
1. server1.domain1.com serno 10AF
2. server2.domain1.com serno 10B0
3. server1.domain2.de serno 10B1
4. server2.domain2.de serno 10B2

logout

login user1
domain add domain1.tld
error: The domain 'domain1.com' is already in a different account and is listed as valid. Can't continue.
=> OK

Dispute Abuses
 + Domain Dispute

warning message:
"If your dispute is successful the domain will be removed from the current account and any certificates will be revoked."

Please choose an authority email address
  postmaster@domain1.com
click -> "Update Dispute"

system message:
"The domain 'domain1.com' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."


ca-mgr1: login to user2
6 new emails:
1. [CAcert.org] Dispute Probe
2.-6. [CAcert.org] Your Certificate is about to expire

text of 1)
You have been sent this email as the domain 'domain1.com' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:
https://cacert1.it-sls.de/disputes.php?type=domain&domainid=167973&hash=e2d8f99e5acff58421b8be6fcd0a6671

text of 2-6)
Your certificate is set to expire in approximately 30 days time, ...
(this relates to the shortened timeframe test certs expires within 1 week or 1 month) => OK
doesn't relate to the domain dispute


login user2 to testserver

client certs view: 1 listed
domains view: 2 domains listed
server certs view: 4 server certs listed
=> OK (at this stage)

accepting dispute
Domain Dispute
Reject Dispute
Accept Dispute <=
Report Dispute as Abuse
click -> "update dispute"

system message:
"You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates.

The following accounts have been removed:
domain1.com"


server certs view: 2 server certs listed for domain2.de (serno: 10B1, 10B2)
domains view: 1 domain listed, domain2.de
client certs view: 1 client cert listed user2@domain1.com (!)


=> OK

logout

login user1
domain view: 0 domains listed

add domain: domain1.com
confirming email probe
view domains: domain1.com listed

=> OK

==> original bug report cannot be confirmed, cannot be reproduced on testserver

MarekMazur

2012-03-22 22:49

reporter   ~0002888

Please to check this case:
1. user1 - 2+ e-mail accounts, no domains assigned; user2 - whatever.
2. Try e-mail dispute on user1 primary account.
3. user1 accept e-mail dispute.

Code that is interesting:

$rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
                    $rc = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
                    $res = mysql_query("select * from `users` where `id`='$oldmemid'");
                    $user = mysql_fetch_assoc($res);
            if($rc == 0 && $rc2 == 0 && $_SESSION['_config']['email'] == $user['email'])
            {
                mysql_query("update `users` set `deleted`=NOW() where `id`='$oldmemid'");
                echo _("This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system.");
            }
I have no clue what $rc2 is reffering to...

Uli60

2012-03-22 23:25

updater   ~0002889

Last edited: 2012-03-22 23:51

View 4 revisions

strike "or domains" :D
compare it to line 271 + 272 of /www/disputes.php

/www/disputes.php l. 75 + 76 probably should be:
$rc = mysql_num_rows(mysql_query("select * from `domains` ...
$rc2 = mysql_num_rows(mysql_query("select * from `email` ...

at least this is a bug, but doesn't relate to the reported issue
if not wrongly clicked the EMAIL dispute instead of DOMAIN dispute.
The answer can give user2 by forwarding line 1 of the email user 2 received for acceptance of the dispute, as this email line includes the text about the dispute method: -> EMAIL dispute -or- DOMAIN dispute

reason why EMAIL dispute cannot delete an account if account has > 1 email address defined is /www/disputes.php line 271 - 279 code, that prevents removal of one email definition, if its not the only one email address left in the account.

MarekMazur

2012-03-22 23:39

reporter   ~0002890

I don't get 'probably' part of your comment Uli. :)

My simply guessing is that user1/2 is afraid of consequences and lies about that he used a domain dispute and sent email dispute instead.

We won't ever know if someone don't check in database that there exist a deleted account referring to user1 e-mail address.

If user2 lies, looking for reason of this bug is a waste of time.

MarekMazur

2012-03-23 01:13

reporter   ~0002891

Ulrich, note that it is required for account to be empty only to start this process, finishing this process is not checking one of the requirements.

NEOatNHNG

2012-05-08 21:32

administrator   ~0002991

I have fixed the $rc issue, please check whether the original bug is also fixed. Please test & review.

BenBE

2012-06-19 19:02

updater   ~0003073

The patch looks sane and should fix the above mentioned problem. Reconstructing from the original source there really COULD be the situation when disputing the primary email address could lead to account removal even if there were still domains on that account left. This situation SHOULD be fixed with this patch.

BenBE

2012-11-20 20:27

updater   ~0003348

The patch is okay and addresses the issue.

Though the coding style could be better in cases of e.g. database errors - the code gives the correct result, but passing unchecked resource handles to mysql_num_rows is clearly bad style.

Uli60

2012-11-28 02:30

updater   ~0003370

7 users generated
bug1025.user0@w.d .. bug1025.user6@w.d


prepared:
       1 email 2 email 0 domains 1 domain 2 domains test-domains

user1 + + behappy
user2 + + morgen
user3 + + risipisi, bauwagen
user4 + + einmal, support
user5 + +
user6 + +


login bug1025.user0@w.d
dispute user1 domain
The domain 'behappy' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request.

login to ca-mgr1 for user1, mail received:

You have been sent this email as the domain 'behappy' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:

https://cacert1.it-sls.de/disputes.php?type=domain&domainid=167995&hash=963ef3d1d5be963beb817f5e5731e390

3 options:
Reject Dispute
Accept Dispute <===
Report Dispute as Abuse

You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates.

The following accounts have been removed:
behappy

view Domains: empty => ok
view email: 1 email => ok

user0:
view domains: no domains => ok
view emails: 1 email => ok

add domain -> behappy
confirmation
view domains: 1 domain => ok


dispute email user1

You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates.

The following accounts have been removed:
bug1025.user1@w.d
This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system.
=> ok

user0:
view domain: 1 => ok
view email: 1 => ok

add new email (user1), confirmed
view domain: 1 => ok
view email: 2 => ok

test series 1 => ok
-----

login user0
dispute user2b email, user2: accept dispute

user0
view domain: 1 => ok
view email: 2 => ok
add email user2b, confirmed

view domain: 1 => ok
view email: 3 => ok

(user2: 1 domains, 1 email left)

dispute last email from user2

results in:
You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it. => ok

dispute domain from user2, accepted

user0:
view emails: 3 => ok
view domains: 1 => ok

add domain 'morgen', confirmed

user0:
view emails: 3 => ok
view domains: 2 => ok

dispute last email from user2, accepted

user0:
view emails: 3 => ok
view domains: 2 => ok

add email (user2), confirmed
user0:
view emails: 4 => ok
view domains: 2 => ok

trying to login to user2 ->
Incorrect email address and/or Pass Phrase. -> ok (as expected)

login to admin account, search user2 email
Sysadmin - find user -> user2
shows bug1025.user0@w.d => ok
emails shown as Secondary Emails (3), 2 domains => ok

test series 2 => ok
-----

series3: user3 + + risipisi, bauwagen

login user0:
disputing 2 domains, 1 email (in this order, email: bug1025.user3@w.d)
You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it.

ca-mgr1 login to user3
dispute probe for 2 domains found, accepting both

user3: 0 domains remaining, 1 email remaining
user0: restart email dispute, accepted

user0:
add 2 domains, 1 email
ca-mgr user0: 3 probe emails -> 2 domains, 1 email, all 3 confirmed

user0:
view emails: 5 => ok
view domains: 4 => ok

test series 3 => ok
-----

series 4:
user4 2 email 2 domains einmal, support

user0: dispute 2 domains, 1 secondary email, accepted by user4 (ca-mgr1 emails)
user0: dispute last primary email, accepted by user4

user0: add 2 free'ed emails, add 2 free'ed domains

user0:
view emails: 7 => ok
view domains: 6 => ok

test series 4 => ok
-----

summary
email dispute of primary email cannot pass
(message: You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it.)
if secondary email addresses or domains still remains under an account

INOPIAE

2012-12-08 08:28

updater   ~0003380

Last edited: 2012-12-08 10:29

View 3 revisions

While testing I found five major errors:
- Why is there no automatic log out of the account if the primary address is disputed successfully?
- When disputing an email address from a German account the subject is somehow cryptic, when disputing it from an English account it shows a proper subject.
German: =?utf-8?B?W0NBY2VydC5vcmddIMOcYmVydHJhZ3VuZ3NhbmZyYWdl?=
English: [CAcert.org] Dispute Probe
- When I am logged in with account 1 and I use the confirmation link send to account 2 the dispute process works.
The dispute process should only work with the account where the confirmation link is send to.
- There is no information how the responded of the dispute reacted. There should be a mail send to the requestor.
- It is possible to delete an account that has given assurances via the dispute method. This should definitly not be allowed. If the account just got assured it may be possible.

Nice to have have the disputing message in the language of the reciepient.

Test:

Removing the address from an account that only has an primary email address.

Requesting account shows (message1):
The email address 'xxx@yyy.tt' has been entered into the dispute system, the email address will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request.
=>ok

Dispute account gets mail with this text (message2):
You have been sent this email as the email address 'xxx@yyy.tt' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:

https://cacert1.it-sls.de/disputes.php?type=email&emailid=244644&hash=61a54aa79ff7d48c3358abd3ecf30de5

Best regards,
CAcert.org Support!

=>ok

After following the link you see this (message3):
Currently the email 'xxx@yyy.tt' is in dispute, you have been sent an email to resolve the issue, below you have the option to accept, reject or report the request as fraudulent.

Reject Dispute
Accept Dispute
Report Dispute as Abuse

=>ok

When using Reject Dispute this is displayed (message4)
You have opted to reject this dispute and the request will be removed from the database
=>ok
Account stays =>ok

When using Accept Dispute this is displayed (message5)
You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates.
The following accounts have been removed:
xxx@yyy.tt

This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system.
=>ok
Account deleted=>ok
 
When using Report Dispute as Abuse the forwared to https://cacert1.it-sls.de/disputes.php. What happens?
Disputed 4.1025@acme.com from 0.1025@acme.com on 2012-12-08 10:30

Just disputing without any action: What happens?
Disputed 5.1025@acme.com from 0.1025@acme.com on 2012-12-08 10:30

Removing the primary email address from an account that hold at least on other email address or an domain:

Requesting account shows (message6):
You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it.
=>ok Text could be more percise.
Nothing happens =>ok

Removing the an email address from an account that hold at least two email addresses:
Requesting account shows message1=>ok
Dispute account gets mail with message2=>ok
After following the link you see message3=>ok
When using Reject Dispute message4 is displayed=>ok
When using Accept Dispute this is displayed (message7)
You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates.

The following accounts have been removed:
xxx@yyy.tt
Text must be the "the following email address has been removed:"
Text fails, Action is correct, email address removed
=>partly fail

Removing the a domain from an account that hold at least one email addresses and one domain:
Requesting account shows this (message8):
Please choose an authority email address ...
=>ok
After hiting update dispute shows this (message9):
The domain 'yyy.tt' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request.
=>ok

Dispute account gets mail with this text (message10):
You have been sent this email as the domain 'yyy.tt' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:

https://cacert1.it-sls.de/disputes.php?type=domain&domainid=168008&hash=040315ff58fdc51001bc69b5f53eefa4

Best regards,
CAcert.org Support!
=>ok
After following the link you see this (message11):
Currently the domain '1025.inopiae.com' is in dispute, you have been sent an email to resolve the issue, below you have the option to accept, reject or report the request as fraudulent.
=>ok
When using Reject Dispute message4 is displayed=>ok
When using Accept Dispute this is displayed (message13):
You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates.

The following accounts have been removed:
yyy.tt
Text must be the "the following domain has been removed:"
Text fails, Action is correct, email address removed
=>partly fail

INOPIAE

2012-12-08 10:32

updater   ~0003381

Needs definitly work see major errors discribed in
https://bugs.cacert.org/view.php?id=1025#c3380

Uli60

2013-02-12 22:02

updater   ~0003748

Last edited: 2013-02-12 22:14

View 2 revisions

- When disputing an email address from a German account the subject is somehow cryptic, when disputing it from an English account it shows a proper subject.
German: =?utf-8?B?W0NBY2VydC5vcmddIMOcYmVydHJhZ3VuZ3NhbmZyYWdl?=
English: [CAcert.org] Dispute Probe

problem in ca-mgr1 (TMS)
that doesn't handle utf8 subject lines correctly, but email clients do
see https://bugs.cacert.org/view.php?id=932

Uli60

2013-02-12 22:17

updater   ~0003750

- It is possible to delete an account that has given assurances via the dispute method. This should definitly not be allowed. If the account just got assured it may be possible.
from https://bugs.cacert.org/view.php?id=1025#c3380 report

possible simple solution:
check if count(assurances-given) > 0
  then throw exception: automated dispute impossible, file dispute by sending dispute email to support@c.o

BenBE

2015-08-09 21:06

updater   ~0005446

The second issue in comment 3380 mentioned by INOPIAE has been addressed via a fix to issue 0000932 on the TMS/ca-mgr1.

Issue History

Date Modified Username Field Change
2012-03-22 13:51 Uli60 New Issue
2012-03-22 15:02 Uli60 Reproducibility have not tried => unable to reproduce
2012-03-22 15:02 Uli60 Status new => needs feedback
2012-03-22 15:03 Uli60 Note Added: 0002887
2012-03-22 15:03 Uli60 Status needs feedback => new
2012-03-22 22:49 MarekMazur Note Added: 0002888
2012-03-22 23:12 INOPIAE Description Updated View Revisions
2012-03-22 23:25 Uli60 Note Added: 0002889
2012-03-22 23:39 MarekMazur Note Added: 0002890
2012-03-22 23:40 Uli60 Note Edited: 0002889 View Revisions
2012-03-22 23:50 Uli60 Note Edited: 0002889 View Revisions
2012-03-22 23:51 Uli60 Note Edited: 0002889 View Revisions
2012-03-23 01:13 MarekMazur Note Added: 0002891
2012-05-08 20:27 INOPIAE Relationship added related to 0001037
2012-05-08 21:21 NEOatNHNG Source_changeset_attached => cacert-devel testserver 5b56ff30
2012-05-08 21:21 NEOatNHNG Source_changeset_attached => cacert-devel testserver 10df9bdc
2012-05-08 21:32 NEOatNHNG Reviewed by => NEOatNHNG
2012-05-08 21:32 NEOatNHNG Note Added: 0002991
2012-05-08 21:32 NEOatNHNG Status new => needs review & testing
2012-06-19 19:02 BenBE Note Added: 0003073
2012-11-07 00:55 BenBE Assigned To => BenBE
2012-11-20 20:27 BenBE Reviewed by NEOatNHNG => NEOatNHNG, BenBE
2012-11-20 20:27 BenBE Note Added: 0003348
2012-11-20 20:27 BenBE Reproducibility unable to reproduce => always
2012-11-20 20:27 BenBE Status needs review & testing => needs testing
2012-11-28 02:30 Uli60 Note Added: 0003370
2012-11-29 20:40 Uli60 Relationship added related to 0001117
2012-12-08 08:28 INOPIAE Note Added: 0003380
2012-12-08 09:27 INOPIAE Note Edited: 0003380 View Revisions
2012-12-08 10:29 INOPIAE Note Edited: 0003380 View Revisions
2012-12-08 10:32 INOPIAE Note Added: 0003381
2012-12-08 10:32 INOPIAE Assigned To BenBE => NEOatNHNG
2012-12-08 10:32 INOPIAE Status needs testing => needs work
2012-12-22 20:33 Werner Dworak Relationship added related to 0001026
2012-12-27 16:59 Werner Dworak Relationship added related to 0001104
2013-02-12 21:45 Uli60 Relationship added related to 0000893
2013-02-12 22:02 Uli60 Note Added: 0003748
2013-02-12 22:13 Uli60 Relationship added related to 0000932
2013-02-12 22:14 Uli60 Note Edited: 0003748 View Revisions
2013-02-12 22:17 Uli60 Note Added: 0003750
2015-08-09 21:06 BenBE Note Added: 0005446