View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001266 | Main CAcert Website | certificate issuing | public | 2014-04-09 20:34 | 2014-09-02 20:55 |
| Reporter | BenBE | Assigned To | NEOatNHNG | ||
| Priority | high | Severity | major | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Product Version | 2014 Q2 | ||||
| Target Version | 2014 Q2 | Fixed in Version | 2014 Q2 | ||
| Summary | 0001266: Second-Level SQL Injection in Certificate-related queries | ||||
| Description | Some of the statements related to domain/email certificates might allow to do a second-level SQL injection. | ||||
| Additional Information | Quote from original mail: [...] Second-Order-SQL-Injection: http://en.wikipedia.org/wiki/SQL_injection#Second_Order_SQL_Injection includes/account.php:887 # ... $query = "insert into `domaincerts` set `domid`='".$row['domid']."', `CN`='".mysql_real_escape_string($row['CN'])."', `subject`='".mysql_real_escape_string($row['subject'])."',". //`csr_name`='".$row['csr_name']."', // RACE CONDITION "`created`='".$row['created']."', `modified`=NOW(), `rootcert`='".$row['rootcert']."', `type`='".$row['type']."', `pkhash`='".$row['pkhash']."', `description`='".$row['description']."'"; // unvalidated update # ... includes/account.php:1061 # ... $query = "insert into emailcerts set `memid`='".$row['memid']."', `CN`='".mysql_real_escape_string($row['CN'])."', `subject`='".mysql_real_escape_string($row['subject'])."', `keytype`='".$row['keytype']."', `csr_name`='".$row['csr_name']."', `created`='".$row['created']."', `modified`=NOW(), `disablelogin`='".$row['disablelogin']."', `codesign`='".$row['codesign']."', `rootcert`='".$row['rootcert']."', `description`='".$row['description']."'"; # unvalidated update # ... includes/account.php:1694 # ... $query = "insert into `orgemailcerts` set `orgid`='".$row['orgid']."', `CN`='".$row['CN']."', `ou`='".$row['ou']."', # possible (?) unvalidated update `subject`='".$row['subject']."', `keytype`='".$row['keytype']."', `csr_name`='".$row['csr_name']."', `created`='".$row['created']."', `modified`=NOW(), `codesign`='".$row['codesign']."', `rootcert`='".$row['rootcert']."', `description`='".$row['description']."'"; # unvalidated update | ||||
| Tags | No tags attached. | ||||
| Reviewed by | NEOatNHNG, BenBE | ||||
| Test Instructions | |||||
|
|
I have implemented a fix and put it on the test server. Please review and test. |
|
|
I have renewed a client cert, a server cert, an org server cert and an org client cert => All OK (some errors in the error log but those seem to also have been present before the fix) |
|
|
click on Org Admin > View (account.php?id=35) white page later edit: My test user is Org Assurer but not assigned to any Organization I add this user to an Org and performed the test. I think this is not part of this bug, maybe a minor for another bugfix ==> OK |
|
|
I have created * client cert => OK * server cert => OK * org client cert => OK * org server cert => OK i see no errors on the webpage but i can't look to log or console (i've no access to the testserver ;-) ) ==> OK |
|
|
no problem to create or renew client certificates. could not renew server certificate "You did not select any certificates for renewal." I tried this about 5-10 times with or without comment. used `csr_name`='".$row['csr_name']."', nothing or existing comment as comment |
|
|
I tested as 2014-04-11 6:50 CEST New client certificate with interface => ok New client certificate with csr => ok Renew client certificate => ok New server certificate =>ok Renew server certificate => ok New org client certificate => ok Renew org client certificate => ok New org server certificate =>ok Renew org server certificate => ok I could not check the logs |
|
|
I tried to renew a Server Certificate, yesterday - same result. I tried to - renew Server Certificate - renew Org Certificate - renew Org Server Certificate today. I worked. Could not see logs. |
|
|
0001266:0004711: I just went through the error logs: there was a line [Thu Apr 10 07:26:33 2014] [error] [client XXX] PHP Notice: Undefine d index: revokeid in /git/cacert/includes/account.php on line 872, referer: http s://cacert1.it-sls.de//account.php?id=12&viewall=1 Which seems to trigger the error message but doesn't explain why the browser didn't send the revokeid. Also I don't see changes from the time the test was done until now that explain the change of behaviour. As other tests went well and the problem seems to have resolved into thin air I would say we ignore this issue for now. |
|
|
I changed the description of certificate to '--. Afterwards I renewed the certificate. client cert => ok server cert => ok org client cert => ok org server cert => ok => ok |
|
|
2 successful test and one which turned out after to be ok. The reason for the fail in the first test serires could not be found. |
|
|
Second review OK. |
|
|
Sent to critical. |
|
|
Applied to the critical system on 2014-04-18 08:12:30 See https://lists.cacert.org/wws/arc/cacert-systemlog/2014-04/msg00006.html |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2014-04-09 20:34 | BenBE | New Issue | |
| 2014-04-09 20:34 | BenBE | Assigned To | => NEOatNHNG |
| 2014-04-09 20:38 | BenBE | Relationship added | related to 0001260 |
| 2014-04-09 20:47 | NEOatNHNG | Relationship added | related to 0000782 |
| 2014-04-09 22:13 | NEOatNHNG | Reviewed by | => NEOatNHNG |
| 2014-04-09 22:13 | NEOatNHNG | Note Added: 0004706 | |
| 2014-04-09 22:13 | NEOatNHNG | Status | new => needs review & testing |
| 2014-04-09 22:13 | NEOatNHNG | Assigned To | NEOatNHNG => BenBE |
| 2014-04-09 22:15 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable b397ed87 |
| 2014-04-09 22:15 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable b349807b |
| 2014-04-10 00:02 | NEOatNHNG | Note Added: 0004707 | |
| 2014-04-10 02:04 | MartinGummi | Note Added: 0004709 | |
| 2014-04-10 02:24 | MartinGummi | Note Added: 0004710 | |
| 2014-04-10 02:28 | MartinGummi | Note Edited: 0004709 | |
| 2014-04-10 05:29 | Eva | Note Added: 0004711 | |
| 2014-04-10 05:30 | Eva | Note Edited: 0004711 | |
| 2014-04-11 05:01 | INOPIAE | Note Added: 0004712 | |
| 2014-04-11 20:59 | Eva | Note Added: 0004715 | |
| 2014-04-15 20:40 | NEOatNHNG | Note Added: 0004719 | |
| 2014-04-15 20:40 | NEOatNHNG | Note Edited: 0004719 | |
| 2014-04-15 20:55 | INOPIAE | Note Added: 0004720 | |
| 2014-04-15 20:55 | INOPIAE | Note Edited: 0004720 | |
| 2014-04-15 21:06 | INOPIAE | Note Added: 0004722 | |
| 2014-04-15 21:06 | INOPIAE | Status | needs review & testing => needs review |
| 2014-04-15 21:06 | BenBE | Reviewed by | NEOatNHNG => NEOatNHNG, BenBE |
| 2014-04-15 21:06 | BenBE | Note Added: 0004723 | |
| 2014-04-15 21:06 | BenBE | Status | needs review => ready to deploy |
| 2014-04-15 21:35 | BenBE | Source_changeset_attached | => cacert-devel release cf0497dc |
| 2014-04-15 21:57 | BenBE | Note Added: 0004731 | |
| 2014-04-18 13:50 | NEOatNHNG | Note Added: 0004740 | |
| 2014-04-18 13:50 | NEOatNHNG | View Status | private => public |
| 2014-04-18 13:50 | NEOatNHNG | Status | ready to deploy => solved? |
| 2014-04-18 13:50 | NEOatNHNG | Fixed in Version | => 2014 Q2 |
| 2014-04-18 13:50 | NEOatNHNG | Resolution | open => fixed |
| 2014-04-18 13:50 | NEOatNHNG | Assigned To | BenBE => NEOatNHNG |
| 2014-04-19 01:42 | NEOatNHNG | Relationship added | related to 0001272 |
| 2014-09-02 20:55 | INOPIAE | Status | solved? => closed |
