0001025: Domain Dispute strange behaviour / Domain Dispute issue

ID	Project	Category	View Status	Date Submitted	Last Update

0001025	Main CAcert Website	misc	public	2012-03-22 13:51	2021-08-25 13:36

Reporter	Uli60	Assigned To	NEOatNHNG
Priority	normal	Severity	minor	Reproducibility	always
Status	needs work	Resolution	open

Summary	0001025: Domain Dispute strange behaviour / Domain Dispute issue
Description	The problem is taken from ticket [s20120322.56 ] Domain dispute fallout? A few days ago I used the "Domain Dispute" tab on the CAcert.org website to "take" domain.tld away from User2, as I was under a time crunch to get some certs rolled. Before I did this User2 and I were unable to connect to arrange this some other way. While this got the domain.tld account transferred to me, User2 tells me it also messed up the other certs for domains he manages (both domain2.tld for us and several of his personal domains). If I understood correctly, it also prevented him from logging in to his cacert account. Do I understand correctly? If this is the case, did I miss a warning about the effect my clicking on "Domain dispute" would have? My only goal was to get domain.tld transferred to me so I could issue some certs, and I would have never clicked on that link if I had known that one of the consequences of that action would have been to affect User2's CAcert account or the other certificates he had been issued.
Additional Information	bug# generated for analyze and to reproduce reported problem
Tags	No tags attached.

Reviewed by	NEOatNHNG, BenBE
Test Instructions

related to	0000932	needs testing	BenBE	test.cacert.org	Get UTF8 failured email subject
related to	0001037	new		Main CAcert Website	Message text is wrong for disputing an primary email address from an account with a domain inside of the account
related to	0001117	new		Main CAcert Website	Outsource Disputes Text /disputes.php?id=0 to wiki
related to	0001026	needs work	Uli60	Main CAcert Website	Server Certificate was revoked but not by the user
related to	0001104	confirmed	INOPIAE	Main CAcert Website	Report Abuse not operative
related to	0000893	closed	INOPIAE	Main CAcert Website	Extend Delete account feature for support
related to	0000769	needs work	Ted	Main CAcert Website	Client certificate broken with unicode

Uli60 2012-03-22 15:03 updater ~0002887	pre-set ------- user1 email: user1@domain1.tld user2 email: user2@domain1.tld clientcerts: user2@domain1.tld domain: domain1.tld servercerts: cert1.domain1.tld cert2.domain1.tld domain: sub1.domain1.tld fail servercerts: cert1.sub1.domain1.tld - cert2.sub1.domain1.tld - domain: domain2.tld servercerts: cert1.domain2.tld cert2.domain2.tld domain: sub1.domain2.tld fail servercerts: cert1.sub1.domain2.tld - cert2.sub1.domain2.tld - test procedure -------------- created user1 and user2 both verified both accounts assured upto 100 assurance points loggedin user2 create client cert adding domain domain1.com confirm email probe (postmaster@), under ca-mgr1 under bug1025.user2 account email adding domain sub1.domain1.tld email probe to: postmaster@sub1.domain1.tld results in error: "Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid Failed to make a connection to the mail server" Bug? Fallback to postmaster@domain1.tld is impossible adding domain domain2.de confirm email probe (postmaster@), under ca-mgr1 under bug1025.user2 account email adding domain sub1.domain2.tld email probe to: postmaster@sub1.domain2.tld results in error: "Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid Failed to make a connection to the mail server" sub domains failed email probe, cannot be tested creating 4 server certs private keys and csr's with openssl, 2 each for domain1.tld and domain2.tld signing all 4 csr's with class3 testserver subroot 1. server1.domain1.com serno 10AF 2. server2.domain1.com serno 10B0 3. server1.domain2.de serno 10B1 4. server2.domain2.de serno 10B2 logout login user1 domain add domain1.tld error: The domain 'domain1.com' is already in a different account and is listed as valid. Can't continue. => OK Dispute Abuses + Domain Dispute warning message: "If your dispute is successful the domain will be removed from the current account and any certificates will be revoked." Please choose an authority email address postmaster@domain1.com click -> "Update Dispute" system message: "The domain 'domain1.com' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request." ca-mgr1: login to user2 6 new emails: 1. [CAcert.org] Dispute Probe 2.-6. [CAcert.org] Your Certificate is about to expire text of 1) You have been sent this email as the domain 'domain1.com' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute: https://cacert1.it-sls.de/disputes.php?type=domain&domainid=167973&hash=e2d8f99e5acff58421b8be6fcd0a6671 text of 2-6) Your certificate is set to expire in approximately 30 days time, ... (this relates to the shortened timeframe test certs expires within 1 week or 1 month) => OK doesn't relate to the domain dispute login user2 to testserver client certs view: 1 listed domains view: 2 domains listed server certs view: 4 server certs listed => OK (at this stage) accepting dispute Domain Dispute Reject Dispute Accept Dispute <= Report Dispute as Abuse click -> "update dispute" system message: "You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates. The following accounts have been removed: domain1.com" server certs view: 2 server certs listed for domain2.de (serno: 10B1, 10B2) domains view: 1 domain listed, domain2.de client certs view: 1 client cert listed user2@domain1.com (!) => OK logout login user1 domain view: 0 domains listed add domain: domain1.com confirming email probe view domains: domain1.com listed => OK ==> original bug report cannot be confirmed, cannot be reproduced on testserver

MarekMazur 2012-03-22 22:49 reporter ~0002888	Please to check this case: 1. user1 - 2+ e-mail accounts, no domains assigned; user2 - whatever. 2. Try e-mail dispute on user1 primary account. 3. user1 accept e-mail dispute. Code that is interesting: $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0")); $rc = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'")); $res = mysql_query("select * from `users` where `id`='$oldmemid'"); $user = mysql_fetch_assoc($res); if($rc == 0 && $rc2 == 0 && $_SESSION['_config']['email'] == $user['email']) { mysql_query("update `users` set `deleted`=NOW() where `id`='$oldmemid'"); echo _("This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system."); } I have no clue what $rc2 is reffering to...

Uli60 2012-03-22 23:25 updater ~0002889 Last edited: 2012-03-22 23:51	strike "or domains" :D compare it to line 271 + 272 of /www/disputes.php /www/disputes.php l. 75 + 76 probably should be: $rc = mysql_num_rows(mysql_query("select * from `domains` ... $rc2 = mysql_num_rows(mysql_query("select * from `email` ... at least this is a bug, but doesn't relate to the reported issue if not wrongly clicked the EMAIL dispute instead of DOMAIN dispute. The answer can give user2 by forwarding line 1 of the email user 2 received for acceptance of the dispute, as this email line includes the text about the dispute method: -> EMAIL dispute -or- DOMAIN dispute reason why EMAIL dispute cannot delete an account if account has > 1 email address defined is /www/disputes.php line 271 - 279 code, that prevents removal of one email definition, if its not the only one email address left in the account.

MarekMazur 2012-03-22 23:39 reporter ~0002890	I don't get 'probably' part of your comment Uli. :) My simply guessing is that user1/2 is afraid of consequences and lies about that he used a domain dispute and sent email dispute instead. We won't ever know if someone don't check in database that there exist a deleted account referring to user1 e-mail address. If user2 lies, looking for reason of this bug is a waste of time.

MarekMazur 2012-03-23 01:13 reporter ~0002891	Ulrich, note that it is required for account to be empty only to start this process, finishing this process is not checking one of the requirements.

NEOatNHNG 2012-05-08 21:32 administrator ~0002991	I have fixed the $rc issue, please check whether the original bug is also fixed. Please test & review.

BenBE 2012-06-19 19:02 updater ~0003073	The patch looks sane and should fix the above mentioned problem. Reconstructing from the original source there really COULD be the situation when disputing the primary email address could lead to account removal even if there were still domains on that account left. This situation SHOULD be fixed with this patch.

BenBE 2012-11-20 20:27 updater ~0003348	The patch is okay and addresses the issue. Though the coding style could be better in cases of e.g. database errors - the code gives the correct result, but passing unchecked resource handles to mysql_num_rows is clearly bad style.

Uli60 2012-11-28 02:30 updater ~0003370	7 users generated bug1025.user0@w.d .. bug1025.user6@w.d prepared: 1 email 2 email 0 domains 1 domain 2 domains test-domains user1 + + behappy user2 + + morgen user3 + + risipisi, bauwagen user4 + + einmal, support user5 + + user6 + + login bug1025.user0@w.d dispute user1 domain The domain 'behappy' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request. login to ca-mgr1 for user1, mail received: You have been sent this email as the domain 'behappy' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute: https://cacert1.it-sls.de/disputes.php?type=domain&domainid=167995&hash=963ef3d1d5be963beb817f5e5731e390 3 options: Reject Dispute Accept Dispute <=== Report Dispute as Abuse You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates. The following accounts have been removed: behappy view Domains: empty => ok view email: 1 email => ok user0: view domains: no domains => ok view emails: 1 email => ok add domain -> behappy confirmation view domains: 1 domain => ok dispute email user1 You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates. The following accounts have been removed: bug1025.user1@w.d This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system. => ok user0: view domain: 1 => ok view email: 1 => ok add new email (user1), confirmed view domain: 1 => ok view email: 2 => ok test series 1 => ok ----- login user0 dispute user2b email, user2: accept dispute user0 view domain: 1 => ok view email: 2 => ok add email user2b, confirmed view domain: 1 => ok view email: 3 => ok (user2: 1 domains, 1 email left) dispute last email from user2 results in: You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it. => ok dispute domain from user2, accepted user0: view emails: 3 => ok view domains: 1 => ok add domain 'morgen', confirmed user0: view emails: 3 => ok view domains: 2 => ok dispute last email from user2, accepted user0: view emails: 3 => ok view domains: 2 => ok add email (user2), confirmed user0: view emails: 4 => ok view domains: 2 => ok trying to login to user2 -> Incorrect email address and/or Pass Phrase. -> ok (as expected) login to admin account, search user2 email Sysadmin - find user -> user2 shows bug1025.user0@w.d => ok emails shown as Secondary Emails (3), 2 domains => ok test series 2 => ok ----- series3: user3 + + risipisi, bauwagen login user0: disputing 2 domains, 1 email (in this order, email: bug1025.user3@w.d) You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it. ca-mgr1 login to user3 dispute probe for 2 domains found, accepting both user3: 0 domains remaining, 1 email remaining user0: restart email dispute, accepted user0: add 2 domains, 1 email ca-mgr user0: 3 probe emails -> 2 domains, 1 email, all 3 confirmed user0: view emails: 5 => ok view domains: 4 => ok test series 3 => ok ----- series 4: user4 2 email 2 domains einmal, support user0: dispute 2 domains, 1 secondary email, accepted by user4 (ca-mgr1 emails) user0: dispute last primary email, accepted by user4 user0: add 2 free'ed emails, add 2 free'ed domains user0: view emails: 7 => ok view domains: 6 => ok test series 4 => ok ----- summary email dispute of primary email cannot pass (message: You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it.) if secondary email addresses or domains still remains under an account

INOPIAE 2012-12-08 08:28 updater ~0003380 Last edited: 2012-12-08 10:29	While testing I found five major errors: - Why is there no automatic log out of the account if the primary address is disputed successfully? - When disputing an email address from a German account the subject is somehow cryptic, when disputing it from an English account it shows a proper subject. German: =?utf-8?B?W0NBY2VydC5vcmddIMOcYmVydHJhZ3VuZ3NhbmZyYWdl?= English: [CAcert.org] Dispute Probe - When I am logged in with account 1 and I use the confirmation link send to account 2 the dispute process works. The dispute process should only work with the account where the confirmation link is send to. - There is no information how the responded of the dispute reacted. There should be a mail send to the requestor. - It is possible to delete an account that has given assurances via the dispute method. This should definitly not be allowed. If the account just got assured it may be possible. Nice to have have the disputing message in the language of the reciepient. Test: Removing the address from an account that only has an primary email address. Requesting account shows (message1): The email address 'xxx@yyy.tt' has been entered into the dispute system, the email address will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request. =>ok Dispute account gets mail with this text (message2): You have been sent this email as the email address 'xxx@yyy.tt' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute: https://cacert1.it-sls.de/disputes.php?type=email&emailid=244644&hash=61a54aa79ff7d48c3358abd3ecf30de5 Best regards, CAcert.org Support! =>ok After following the link you see this (message3): Currently the email 'xxx@yyy.tt' is in dispute, you have been sent an email to resolve the issue, below you have the option to accept, reject or report the request as fraudulent. Reject Dispute Accept Dispute Report Dispute as Abuse =>ok When using Reject Dispute this is displayed (message4) You have opted to reject this dispute and the request will be removed from the database =>ok Account stays =>ok When using Accept Dispute this is displayed (message5) You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates. The following accounts have been removed: xxx@yyy.tt This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system. =>ok Account deleted=>ok When using Report Dispute as Abuse the forwared to https://cacert1.it-sls.de/disputes.php. What happens? Disputed 4.1025@acme.com from 0.1025@acme.com on 2012-12-08 10:30 Just disputing without any action: What happens? Disputed 5.1025@acme.com from 0.1025@acme.com on 2012-12-08 10:30 Removing the primary email address from an account that hold at least on other email address or an domain: Requesting account shows (message6): You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it. =>ok Text could be more percise. Nothing happens =>ok Removing the an email address from an account that hold at least two email addresses: Requesting account shows message1=>ok Dispute account gets mail with message2=>ok After following the link you see message3=>ok When using Reject Dispute message4 is displayed=>ok When using Accept Dispute this is displayed (message7) You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates. The following accounts have been removed: xxx@yyy.tt Text must be the "the following email address has been removed:" Text fails, Action is correct, email address removed =>partly fail Removing the a domain from an account that hold at least one email addresses and one domain: Requesting account shows this (message8): Please choose an authority email address ... =>ok After hiting update dispute shows this (message9): The domain 'yyy.tt' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request. =>ok Dispute account gets mail with this text (message10): You have been sent this email as the domain 'yyy.tt' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute: https://cacert1.it-sls.de/disputes.php?type=domain&domainid=168008&hash=040315ff58fdc51001bc69b5f53eefa4 Best regards, CAcert.org Support! =>ok After following the link you see this (message11): Currently the domain '1025.inopiae.com' is in dispute, you have been sent an email to resolve the issue, below you have the option to accept, reject or report the request as fraudulent. =>ok When using Reject Dispute message4 is displayed=>ok When using Accept Dispute this is displayed (message13): You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates. The following accounts have been removed: yyy.tt Text must be the "the following domain has been removed:" Text fails, Action is correct, email address removed =>partly fail

INOPIAE 2012-12-08 10:32 updater ~0003381	Needs definitly work see major errors discribed in https://bugs.cacert.org/view.php?id=1025#c3380

Uli60 2013-02-12 22:02 updater ~0003748 Last edited: 2013-02-12 22:14	- When disputing an email address from a German account the subject is somehow cryptic, when disputing it from an English account it shows a proper subject. German: =?utf-8?B?W0NBY2VydC5vcmddIMOcYmVydHJhZ3VuZ3NhbmZyYWdl?= English: [CAcert.org] Dispute Probe problem in ca-mgr1 (TMS) that doesn't handle utf8 subject lines correctly, but email clients do see https://bugs.cacert.org/view.php?id=932

Uli60 2013-02-12 22:17 updater ~0003750	- It is possible to delete an account that has given assurances via the dispute method. This should definitly not be allowed. If the account just got assured it may be possible. from https://bugs.cacert.org/view.php?id=1025#c3380 report possible simple solution: check if count(assurances-given) > 0 then throw exception: automated dispute impossible, file dispute by sending dispute email to support@c.o

BenBE 2015-08-09 21:06 updater ~0005446	The second issue in comment 3380 mentioned by INOPIAE has been addressed via a fix to issue 0000932 on the TMS/ca-mgr1.

Date Modified	Username	Field	Change
2012-03-22 13:51	Uli60	New Issue
2012-03-22 15:02	Uli60	Reproducibility	have not tried => unable to reproduce
2012-03-22 15:02	Uli60	Status	new => needs feedback
2012-03-22 15:03	Uli60	Note Added: 0002887
2012-03-22 15:03	Uli60	Status	needs feedback => new
2012-03-22 22:49	MarekMazur	Note Added: 0002888
2012-03-22 23:12	INOPIAE	Description Updated
2012-03-22 23:25	Uli60	Note Added: 0002889
2012-03-22 23:39	MarekMazur	Note Added: 0002890
2012-03-22 23:40	Uli60	Note Edited: 0002889
2012-03-22 23:50	Uli60	Note Edited: 0002889
2012-03-22 23:51	Uli60	Note Edited: 0002889
2012-03-23 01:13	MarekMazur	Note Added: 0002891
2012-05-08 20:27	INOPIAE	Relationship added	related to 0001037
2012-05-08 21:21	NEOatNHNG	Source_changeset_attached	=> cacert-devel testserver 5b56ff30
2012-05-08 21:21	NEOatNHNG	Source_changeset_attached	=> cacert-devel testserver 10df9bdc
2012-05-08 21:32	NEOatNHNG	Reviewed by	=> NEOatNHNG
2012-05-08 21:32	NEOatNHNG	Note Added: 0002991
2012-05-08 21:32	NEOatNHNG	Status	new => needs review & testing
2012-06-19 19:02	BenBE	Note Added: 0003073
2012-11-07 00:55	BenBE	Assigned To	=> BenBE
2012-11-20 20:27	BenBE	Reviewed by	NEOatNHNG => NEOatNHNG, BenBE
2012-11-20 20:27	BenBE	Note Added: 0003348
2012-11-20 20:27	BenBE	Reproducibility	unable to reproduce => always
2012-11-20 20:27	BenBE	Status	needs review & testing => needs testing
2012-11-28 02:30	Uli60	Note Added: 0003370
2012-11-29 20:40	Uli60	Relationship added	related to 0001117
2012-12-08 08:28	INOPIAE	Note Added: 0003380
2012-12-08 09:27	INOPIAE	Note Edited: 0003380
2012-12-08 10:29	INOPIAE	Note Edited: 0003380
2012-12-08 10:32	INOPIAE	Note Added: 0003381
2012-12-08 10:32	INOPIAE	Assigned To	BenBE => NEOatNHNG
2012-12-08 10:32	INOPIAE	Status	needs testing => needs work
2012-12-22 20:33	Werner Dworak	Relationship added	related to 0001026
2012-12-27 16:59	Werner Dworak	Relationship added	related to 0001104
2013-02-12 21:45	Uli60	Relationship added	related to 0000893
2013-02-12 22:02	Uli60	Note Added: 0003748
2013-02-12 22:13	Uli60	Relationship added	related to 0000932
2013-02-12 22:14	Uli60	Note Edited: 0003748
2013-02-12 22:17	Uli60	Note Added: 0003750
2015-08-09 21:06	BenBE	Note Added: 0005446
2021-08-25 13:36	bdmc	Relationship added	related to 0000769

View Issue Details

Relationships

Activities

Issue History