View Issue Details

IDProjectCategoryView StatusLast Update
0001291Main CAcert Websiteweb of trustpublic2014-11-21 06:49
ReporterEva Assigned ToNEOatNHNG  
PriorityimmediateSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2012 Q2 
Target Version2014 Q3Fixed in Version2014 Q3 
Summary0001291: executable code can be entered in location field, executable on wot15
DescriptionIt is possible to enter executable code in the location field of assurances.

WoT 10 will escape such entries. WoT 15 does not. An exploit works there.

This is described in a dispute from 2012-05-22.

It would be good if
a) WoT15 would escape the display of such codes
b) it would be blocked such entries into the location field at all, for example by refusing to accept anything that contains "<" followed later by ">".
Steps To ReproduceAssure an account with "<script type="text/javascript">alert("FAIL!");</script>"
Go to WoT 15 for assurer, assuree or support console.
A popup with "Fail!" will appear.

(Other things like bold or italic ... can also be entered, but are not critcal.)
Additional InformationI tested this with the Account
KatziAdmin@cacert.org doing assurances over

Miraculix@acme.com (<script>bla</script>)
Idefix@acme.com (bla) // bla in italic
Asterix@acme.com (<script type="text/javascript">alert("FAIL!");</script>)
TagsNo tags attached.
Reviewed byNEOatNHNG, BenBE
Test Instructions

Activities

Eva

2014-07-26 18:22

updater   ~0004893

I tried the same things on the free fields of the account creation page for the account blablub@acme.com.

The last name, pw and one pw-answer were "<script type="text/javascript">alert("FAIL!");</script>", all other free fields had entries with ... or ....

It seemed that all entries were escaped before they were entered in the DB, at least I did not find any hint anywhere (own account, assurer, support) that the tags were entered. They seem to be removed (or escaped in the case of the PW.

However when I entered the PW in the test-management-page for the email-ping, the script was executed.

MartinGummi

2014-07-26 18:28

updater   ~0004894

Last edited: 2014-07-26 18:29

View 2 revisions

After this post from Eva,

I look via SE console in the account of blablub@acme.com

First Name: bla
Middle Name: blub
Last Name: alert("FAIL!");

I change to Middle Name:
<script type="text/javascript">alert("FAIL!");</script>


and push the Go Button

the SE Console show

First Name: bla
Middle Name: alert(\"FAIL!\");
Last Name: alert(\"FAIL!\");

BenBE

2014-07-27 11:00

updater   ~0004896

Ready for testing on testserver.

Eva

2014-07-27 11:12

updater   ~0004898

1. checked how old entries worked:
I looked at WoT15 points for
KatziAdmin@cacert.org
Miraculix@acme.com
Idefix@acme.com
Asterix@acme.com
-> everything was escaped correctly
-> ok

I looked from the support console on the WoT15 assurances of the following accounts:
Miraculix@acme.com
Idefix@acme.com
Asterix@acme.com
-> everything was escaped correctly
-> ok

2. checked with new assurance
I entered an assurnance from Asterix@acme.com over Miraculix@acme.com with the location <script type="text/javascript">alert("FAIL!");</script>

Then I checked:
- points of Asterix@acme.com (WoT10 and WoT15)
- points of Miraculix@acme.com (WoT10 and WoT15)
- support console, assurances given by Asterix@acme.com (WoT10 and WoT15)
- support console, assurances gotten by Miraculix@acme.com (WoT10 and WoT15)
-> everything was escaped correctly
-> ok

=> ok for behavior change of WoT 15

INOPIAE

2014-07-27 11:45

updater   ~0004899

I assured 2001.jan14@acme.com with <script type="text/javascript">alert("FAIL!");</script>in the location field.

No popup was given. => ok

Looking at my points no popup => ok
Looking at SE console no popup => ok

Location shows alert("FAIL!") => ok

=> ok

Eva

2014-07-27 12:28

updater   ~0004900

Last edited: 2014-07-27 12:28

View 2 revisions

I tried to assure an account with syntactic incorrect but possibly working entry <script type="text/javascript">alert("FAIL!"); in location field.

Assurance was done with KatziAdmin@cacert.org over 2001.jan14@acme.com

When I looked at the tables there was always the correct entry (checked with looking at source).
=> ok

BenBE

2014-07-27 14:31

updater   ~0004901

Added workaround for issue reported by magu on wot 6. Please retest. Especially umlauts, special characters and other stuff.

Eva

2014-07-27 14:45

updater   ~0004902

Last edited: 2014-07-27 14:48

View 2 revisions

I do not know WHAT should be re-tested.

Also the question is: is this bug the same bug, as the original reported one? If not, please move this to another bug, so that they do not have to wait for each other.

Eva

2014-07-27 21:13

updater   ~0004904

Could you please explain the issue and how to test if it is fixed?

NEOatNHNG

2014-07-28 11:48

administrator   ~0004905

Last edited: 2014-07-28 11:50

View 2 revisions

I have reviewed the changes and they look OK.

Testing: try to insert malicious content into the name fields, the location, and the date and check if it is effective in the new point overview (wot 15) or in the assure someone page (wot 6). Also try some special but allowable inputs such as special characters not in latin1.

Eva

2014-07-29 21:48

updater   ~0004906

I assured an account with umlauts. I detected no issue. But I did not detect issues with this, befor the followup-patch.

I used again <script type="text/javascript">alert("FAIL!");</script> in the location field.

Had no problems in any of the views afterwards.

=> ok

BenBE

2014-07-29 21:50

updater   ~0004907

Minor fixup to resynchronize the calculation of the wothash based on the name of the user. While the wot/6.php included the sanitizing it was missing in www/wot.php causing failures to assure some users. This has just been fixed by pulling the escaping to be present at the place where it is checked.

This should not require to repeat the review; though I'm open if anyone sees need anyway.

Eva

2014-07-29 21:56

updater   ~0004909

My last test was after the last change from Benny (see changelog), as I first was not able to finish the assurance for said test and only could do so after his change.

MartinGummi

2014-07-29 23:19

updater   ~0004912

Last edited: 2014-07-29 23:20

View 2 revisions

use <script type="text/javascript">alert("FAIL!");</script>

assure special account
 location       -> OK
 names 
  history       -> OK
  SE            -> OK
  10            -> OK
  15            -> OK

=> OK


wytze

2014-08-09 09:22

developer   ~0004928

The fix has been installed on the production server on August 9, 2014. See also:
https://lists.cacert.org/wws/arc/cacert-systemlog/2014-08/msg00006.html

Issue History

Date Modified Username Field Change
2014-07-26 14:59 Eva New Issue
2014-07-26 14:59 Eva Assigned To => NEOatNHNG
2014-07-26 18:22 Eva Note Added: 0004893
2014-07-26 18:25 Eva Additional Information Updated View Revisions
2014-07-26 18:28 MartinGummi Note Added: 0004894
2014-07-26 18:29 MartinGummi Note Edited: 0004894 View Revisions
2014-07-26 18:30 MartinGummi Steps to Reproduce Updated View Revisions
2014-07-26 18:30 MartinGummi Additional Information Updated View Revisions
2014-07-26 18:31 MartinGummi Steps to Reproduce Updated View Revisions
2014-07-26 18:31 MartinGummi Steps to Reproduce Updated View Revisions
2014-07-26 18:31 MartinGummi Additional Information Updated View Revisions
2014-07-26 18:32 MartinGummi Additional Information Updated View Revisions
2014-07-27 11:00 BenBE Source_changeset_attached => cacert-devel testserver-stable eab48f34
2014-07-27 11:00 BenBE Source_changeset_attached => cacert-devel testserver-stable 89901a37
2014-07-27 11:00 BenBE Reviewed by => BenBE
2014-07-27 11:00 BenBE Note Added: 0004896
2014-07-27 11:00 BenBE Status new => needs review & testing
2014-07-27 11:00 BenBE Category website content => web of trust
2014-07-27 11:00 BenBE Product Version => 2012 Q2
2014-07-27 11:00 BenBE Target Version => 2014 Q3
2014-07-27 11:12 Eva Note Added: 0004898
2014-07-27 11:45 INOPIAE Note Added: 0004899
2014-07-27 12:28 Eva Note Added: 0004900
2014-07-27 12:28 Eva Note Edited: 0004900 View Revisions
2014-07-27 14:30 BenBE Source_changeset_attached => cacert-devel testserver-stable 17f46a81
2014-07-27 14:30 BenBE Source_changeset_attached => cacert-devel testserver-stable ba17817e
2014-07-27 14:31 BenBE Note Added: 0004901
2014-07-27 14:45 Eva Note Added: 0004902
2014-07-27 14:48 Eva Note Edited: 0004902 View Revisions
2014-07-27 21:13 Eva Note Added: 0004904
2014-07-28 11:48 NEOatNHNG Reviewed by BenBE => NEOatNHNG, BenBE
2014-07-28 11:48 NEOatNHNG Note Added: 0004905
2014-07-28 11:48 NEOatNHNG Status needs review & testing => needs testing
2014-07-28 11:50 NEOatNHNG Note Edited: 0004905 View Revisions
2014-07-29 21:30 BenBE Source_changeset_attached => cacert-devel testserver-stable 32ea5681
2014-07-29 21:30 BenBE Source_changeset_attached => cacert-devel testserver-stable b2f8a5d2
2014-07-29 21:48 Eva Note Added: 0004906
2014-07-29 21:50 BenBE Note Added: 0004907
2014-07-29 21:56 Eva Note Added: 0004909
2014-07-29 23:19 MartinGummi Note Added: 0004912
2014-07-29 23:20 MartinGummi Note Edited: 0004912 View Revisions
2014-08-05 20:15 MartinGummi Status needs testing => ready to deploy
2014-08-09 09:15 BenBE Source_changeset_attached => cacert-devel release 3641ed05
2014-08-09 09:22 wytze Note Added: 0004928
2014-08-09 09:22 wytze Status ready to deploy => solved?
2014-08-09 09:22 wytze Fixed in Version => 2014 Q3
2014-08-09 09:22 wytze Resolution open => fixed
2014-08-09 11:58 BenBE View Status private => public
2014-11-21 06:49 INOPIAE Status solved? => closed