View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001272 | Main CAcert Website | certificate issuing | public | 2014-04-18 22:44 | 2014-09-02 20:55 |
| Reporter | BenBE | Assigned To | NEOatNHNG | ||
| Priority | urgent | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 2014 Q2 | ||||
| Target Version | 2014 Q2 | Fixed in Version | 2014 Q2 | ||
| Summary | 0001272: Arbitrary Code Execution via SQL injection on certain database fields | ||||
| Description | When issuing certificates some fields are not properly escaped on renew and thus can be used to create a SQL injection. This SQL injection could be used to manipulate the CRT filename field which is passed unchecked to the shell at some places. | ||||
| Steps To Reproduce | Create certificate with Description like: ', crt_name = '; cat /etc/passwd Renew the certificate | ||||
| Additional Information | A proof of concept has been submitted to the Software Team. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | NEOatNHNG, BenBE | ||||
| Test Instructions | |||||
|
|
Fix on Testserver |
|
|
Created client certificate with browser and comment field filled with ', crt_name = '; cat /etc/passwd Renewed certificate -> everything seems normal, certificate looks normal, comment looks like it should Created server certificate with comment field filled with ', crt_name = '; cat /etc/passwd Renewed certificate -> everything seems normal, certificate looks normal, comment looks like it should Created org server certificate with comment field filled with ', crt_name = '; cat /etc/passwd Renewed certificate -> everything seems normal, certificate looks normal, comment looks like it should Tried to create org client certificate with said comment -> error message: The challenge-response code of your certificate request did not match. Can't continue with certificaterequest. Wanted instead to double renew an org client certificate with said comment. Renew was no problem, but after the renew the comment field was empty (as before), so could not renew the comment a second time by this. looks ok, maybe with exception of org clients, but as it is NOT possible to add clients with said comment at all, the bug should not be possible to execute by this => ok |
|
|
Created client certificate with browser and comment field filled with ', crt_name = '; cat /etc/passwd Renewed certificate -> everything seems normal, certificate looks normal, comment looks like it should Created server certificate with comment field filled with ', crt_name = '; cat /etc/passwd Renewed certificate -> everything seems normal, certificate looks normal, comment looks like it should Tried to create org client certificate with said comment Error: The challenge-response code of your certificate request did not match. Can't continue with certificaterequest After patch Renewed certificate everything seems normal, certificate looks normal, comment looks like it should Created org server certificate with comment field filled with ', crt_name = '; cat /etc/passwd Renewed certificate -> everything seems normal, certificate looks normal, comment looks like it should ==> OK |
|
|
After change of patch: Created client certificate with browser and comment field filled with ', crt_name = '; cat /etc/passwd Renewed certificate -> everything seems normal, certificate looks normal, comment looks like it should -> ok Re-Did the previous test again, works as above -> ok (I used different combinations of 2k, 4k RSA and different options of SHA, also switched between class 1 and class 3) => ok |
|
|
Second review OK. Mail sent to critical admins. |
|
|
The patch has been installed on the production server on April 19, 2014. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-04/msg00008.html |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2014-04-18 22:44 | BenBE | New Issue | |
| 2014-04-18 22:44 | BenBE | Assigned To | => NEOatNHNG |
| 2014-04-18 22:55 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 1ea66e99 |
| 2014-04-18 22:55 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 066a0223 |
| 2014-04-18 23:14 | BenBE | Note Added: 0004742 | |
| 2014-04-18 23:14 | BenBE | Status | new => needs review & testing |
| 2014-04-18 23:15 | BenBE | Reviewed by | => BenBE |
| 2014-04-18 23:32 | Eva | Note Added: 0004743 | |
| 2014-04-18 23:32 | MartinGummi | Note Added: 0004744 | |
| 2014-04-18 23:33 | MartinGummi | Note Edited: 0004744 | |
| 2014-04-18 23:34 | Eva | Note Edited: 0004743 | |
| 2014-04-18 23:40 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 42c0b5e4 |
| 2014-04-18 23:40 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 39d62423 |
| 2014-04-18 23:46 | Eva | Note Added: 0004745 | |
| 2014-04-18 23:53 | Eva | Note Edited: 0004745 | |
| 2014-04-19 00:02 | Eva | Note Edited: 0004745 | |
| 2014-04-19 00:09 | MartinGummi | Note Edited: 0004744 | |
| 2014-04-19 00:11 | MartinGummi | Note Edited: 0004743 | |
| 2014-04-19 00:12 | MartinGummi | Note Edited: 0004743 | |
| 2014-04-19 00:13 | MartinGummi | Note Edited: 0004743 | |
| 2014-04-19 00:16 | MartinGummi | Note Edited: 0004744 | |
| 2014-04-19 00:23 | BenBE | Status | needs review & testing => needs review |
| 2014-04-19 01:28 | NEOatNHNG | Reviewed by | BenBE => NEOatNHNG, BenBE |
| 2014-04-19 01:28 | NEOatNHNG | Note Added: 0004746 | |
| 2014-04-19 01:28 | NEOatNHNG | Status | needs review => ready to deploy |
| 2014-04-19 01:42 | NEOatNHNG | Relationship added | related to 0001266 |
| 2014-04-19 13:45 | wytze | Note Added: 0004747 | |
| 2014-04-19 13:45 | wytze | Status | ready to deploy => solved? |
| 2014-04-19 13:45 | wytze | Fixed in Version | => 2014 Q2 |
| 2014-04-19 13:45 | wytze | Resolution | open => fixed |
| 2014-04-21 22:20 | NEOatNHNG | View Status | private => public |
| 2014-09-02 20:55 | INOPIAE | Status | solved? => closed |
