View Issue Details

IDProjectCategoryView StatusLast Update
0001266Main CAcert Websitecertificate issuingpublic2014-09-02 20:55
ReporterBenBEAssigned ToNEOatNHNG 
PriorityhighSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2014 Q2 
Target Version2014 Q2Fixed in Version2014 Q2 
Summary0001266: Second-Level SQL Injection in Certificate-related queries
DescriptionSome of the statements related to domain/email certificates might allow to do a second-level SQL injection.
Additional InformationQuote from original mail:

[...]

Second-Order-SQL-Injection:

http://en.wikipedia.org/wiki/SQL_injection#Second_Order_SQL_Injection


includes/account.php:887
# ...
$query = "insert into `domaincerts` set
    `domid`='".$row['domid']."',
    `CN`='".mysql_real_escape_string($row['CN'])."',
    `subject`='".mysql_real_escape_string($row['subject'])."',".
    //`csr_name`='".$row['csr_name']."', // RACE CONDITION
    "`created`='".$row['created']."',
    `modified`=NOW(),
    `rootcert`='".$row['rootcert']."',
    `type`='".$row['type']."',
    `pkhash`='".$row['pkhash']."',
    `description`='".$row['description']."'"; // unvalidated update
# ...


includes/account.php:1061
# ...
$query = "insert into emailcerts set
    `memid`='".$row['memid']."',
    `CN`='".mysql_real_escape_string($row['CN'])."',
    `subject`='".mysql_real_escape_string($row['subject'])."',
    `keytype`='".$row['keytype']."',
    `csr_name`='".$row['csr_name']."',
    `created`='".$row['created']."',
    `modified`=NOW(),
    `disablelogin`='".$row['disablelogin']."',
    `codesign`='".$row['codesign']."',
    `rootcert`='".$row['rootcert']."',
    `description`='".$row['description']."'"; # unvalidated update
# ...

includes/account.php:1694
# ...
$query = "insert into `orgemailcerts` set
    `orgid`='".$row['orgid']."',
    `CN`='".$row['CN']."',
    `ou`='".$row['ou']."', # possible (?) unvalidated update
    `subject`='".$row['subject']."',
    `keytype`='".$row['keytype']."',
    `csr_name`='".$row['csr_name']."',
    `created`='".$row['created']."',
    `modified`=NOW(),
    `codesign`='".$row['codesign']."',
    `rootcert`='".$row['rootcert']."',
    `description`='".$row['description']."'"; # unvalidated update

TagsNo tags attached.
Reviewed byNEOatNHNG, BenBE
Test Instructions

Relationships

related to 0001260 needs workBenBE Make the source compatible with recent PHP versions 
related to 0000782 closedNEOatNHNG Add "notes" field to certificate information 
related to 0001272 closedNEOatNHNG Arbitrary Code Execution via SQL injection on certain database fields 

Activities

NEOatNHNG

2014-04-09 22:13

administrator   ~0004706

I have implemented a fix and put it on the test server. Please review and test.

NEOatNHNG

2014-04-10 00:02

administrator   ~0004707

I have renewed a client cert, a server cert, an org server cert and an org client cert => All OK (some errors in the error log but those seem to also have been present before the fix)

MartinGummi

2014-04-10 02:04

updater   ~0004709

Last edited: 2014-04-10 02:28

View 2 revisions

click on Org Admin > View (account.php?id=35) white page

later edit:
My test user is Org Assurer but not assigned to any Organization
I add this user to an Org and performed the test.

I think this is not part of this bug, maybe a minor for another bugfix

==> OK

MartinGummi

2014-04-10 02:24

updater   ~0004710

I have created
 * client cert => OK
 * server cert => OK
 * org client cert => OK
 * org server cert => OK

i see no errors on the webpage but i can't look to log or console (i've no access to the testserver ;-) )

==> OK

Eva

2014-04-10 05:29

updater   ~0004711

Last edited: 2014-04-10 05:30

View 2 revisions

no problem to create or renew client certificates.

could not renew server certificate "You did not select any certificates for renewal."

I tried this about 5-10 times with or without comment.

used `csr_name`='".$row['csr_name']."', nothing or existing comment as comment

INOPIAE

2014-04-11 05:01

updater   ~0004712

I tested as 2014-04-11 6:50 CEST
New client certificate with interface => ok
New client certificate with csr => ok
Renew client certificate => ok
New server certificate =>ok
Renew server certificate => ok
New org client certificate => ok
Renew org client certificate => ok
New org server certificate =>ok
Renew org server certificate => ok

I could not check the logs

Eva

2014-04-11 20:59

updater   ~0004715

I tried to renew a Server Certificate, yesterday - same result.

I tried to
- renew Server Certificate
- renew Org Certificate
- renew Org Server Certificate
today.

I worked.

Could not see logs.

NEOatNHNG

2014-04-15 20:40

administrator   ~0004719

Last edited: 2014-04-15 20:40

View 2 revisions

0001266:0004711: I just went through the error logs: there was a line
[Thu Apr 10 07:26:33 2014] [error] [client XXX] PHP Notice: Undefine
d index: revokeid in /git/cacert/includes/account.php on line 872, referer: http
s://cacert1.it-sls.de//account.php?id=12&viewall=1

Which seems to trigger the error message but doesn't explain why the browser didn't send the revokeid. Also I don't see changes from the time the test was done until now that explain the change of behaviour. As other tests went well and the problem seems to have resolved into thin air I would say we ignore this issue for now.

INOPIAE

2014-04-15 20:55

updater   ~0004720

Last edited: 2014-04-15 20:55

View 2 revisions

I changed the description of certificate to '--. Afterwards I renewed the certificate.
client cert => ok
server cert => ok
org client cert => ok
org server cert => ok

=> ok

INOPIAE

2014-04-15 21:06

updater   ~0004722

2 successful test and one which turned out after to be ok. The reason for the fail in the first test serires could not be found.

BenBE

2014-04-15 21:06

updater   ~0004723

Second review OK.

BenBE

2014-04-15 21:57

updater   ~0004731

Sent to critical.

NEOatNHNG

2014-04-18 13:50

administrator   ~0004740

Applied to the critical system on 2014-04-18 08:12:30

See https://lists.cacert.org/wws/arc/cacert-systemlog/2014-04/msg00006.html

Issue History

Date Modified Username Field Change
2014-04-09 20:34 BenBE New Issue
2014-04-09 20:34 BenBE Assigned To => NEOatNHNG
2014-04-09 20:38 BenBE Relationship added related to 0001260
2014-04-09 20:47 NEOatNHNG Relationship added related to 0000782
2014-04-09 22:13 NEOatNHNG Reviewed by => NEOatNHNG
2014-04-09 22:13 NEOatNHNG Note Added: 0004706
2014-04-09 22:13 NEOatNHNG Status new => needs review & testing
2014-04-09 22:13 NEOatNHNG Assigned To NEOatNHNG => BenBE
2014-04-09 22:15 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable b397ed87
2014-04-09 22:15 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable b349807b
2014-04-10 00:02 NEOatNHNG Note Added: 0004707
2014-04-10 02:04 MartinGummi Note Added: 0004709
2014-04-10 02:24 MartinGummi Note Added: 0004710
2014-04-10 02:28 MartinGummi Note Edited: 0004709 View Revisions
2014-04-10 05:29 Eva Note Added: 0004711
2014-04-10 05:30 Eva Note Edited: 0004711 View Revisions
2014-04-11 05:01 INOPIAE Note Added: 0004712
2014-04-11 20:59 Eva Note Added: 0004715
2014-04-15 20:40 NEOatNHNG Note Added: 0004719
2014-04-15 20:40 NEOatNHNG Note Edited: 0004719 View Revisions
2014-04-15 20:55 INOPIAE Note Added: 0004720
2014-04-15 20:55 INOPIAE Note Edited: 0004720 View Revisions
2014-04-15 21:06 INOPIAE Note Added: 0004722
2014-04-15 21:06 INOPIAE Status needs review & testing => needs review
2014-04-15 21:06 BenBE Reviewed by NEOatNHNG => NEOatNHNG, BenBE
2014-04-15 21:06 BenBE Note Added: 0004723
2014-04-15 21:06 BenBE Status needs review => ready to deploy
2014-04-15 21:35 BenBE Source_changeset_attached => cacert-devel release cf0497dc
2014-04-15 21:57 BenBE Note Added: 0004731
2014-04-18 13:50 NEOatNHNG Note Added: 0004740
2014-04-18 13:50 NEOatNHNG View Status private => public
2014-04-18 13:50 NEOatNHNG Status ready to deploy => solved?
2014-04-18 13:50 NEOatNHNG Fixed in Version => 2014 Q2
2014-04-18 13:50 NEOatNHNG Resolution open => fixed
2014-04-18 13:50 NEOatNHNG Assigned To BenBE => NEOatNHNG
2014-04-19 01:42 NEOatNHNG Relationship added related to 0001272
2014-09-02 20:55 INOPIAE Status solved? => closed