View Issue Details

IDProjectCategoryView StatusLast Update
0000152Main CAcert Websitesource codepublic2013-11-20 22:23
ReporterbluecAssigned To 
PriorityimmediateSeveritymajorReproducibilityalways
Status closedResolutionduplicate 
Fixed in Version2006 
Summary0000152: I spy with my little eye something beginning with U ...
DescriptionUserdata, Lostpassword questions/answers, ... of every user I like.

https://www.cacert.org/account/13.php can be used to display everything in $_SESSION['_config']['user']. If you perform a "find an assurer"->"email Me" this variable will be set with the data of the user you found using the search function. If you now update the account/13.php site you can see the users data.

It should not be possible to run account/*.php directly. One solution would be to add something like

if (eregi('nameofscript.php', $_SERVER['PHP_SELF'])) die('You are not allowed to see this page directly');

I think there is a generic alias for nameofscript.php (something like __NAME__).

TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

has duplicate 0000209 closedduane unauthenticated access on the test1 website 

Activities

duane

2006-03-05 11:42

developer   ~0000095

.htaccess denies access to all files in the dir.

bluec

2006-04-24 05:46

manager   ~0000198

Has this bug been exploited? Check with webserver logfiles.

duane

2006-08-14 03:38

developer   ~0000412

Fixed in another bug.

bluec

2006-08-14 05:26

manager   ~0000423

My request was to verify that this bug has not been exploited. And please never close bugs I reported. Just assign them to me for feedback.

duane

2006-08-14 05:44

developer   ~0000425

This was closed as it was a duplicate report and there is no point having 2 bugs for the same problem, as for checking logs this would be impossible to tell as we only keep 12 months of server logs (debian default)

Issue History

Date Modified Username Field Change
2006-03-05 10:27 bluec New Issue
2006-03-05 11:42 duane Status new => closed
2006-03-05 11:42 duane Note Added: 0000095
2006-03-05 11:42 duane Resolution open => fixed
2006-03-05 11:42 duane Fixed in Version => production
2006-04-01 03:31 bluec Resolution fixed => reopened
2006-04-20 18:37 bluec Relationship added has duplicate 0000209
2006-04-24 05:46 bluec Note Added: 0000198
2006-04-24 05:46 bluec Assigned To => bluec
2006-04-24 05:46 bluec Status closed => needs work
2006-08-14 03:38 duane Status needs work => closed
2006-08-14 03:38 duane Note Added: 0000412
2006-08-14 03:38 duane Resolution reopened => duplicate
2006-08-14 05:26 bluec Note Added: 0000423
2006-08-14 05:44 duane Note Added: 0000425
2011-06-22 00:09 NEOatNHNG Source_changeset_attached => cacert-devel master 98f70ef2
2013-01-14 01:07 Werner Dworak Assigned To bluec =>
2013-01-14 01:07 Werner Dworak Fixed in Version => 2006
2013-11-20 22:23 NEOatNHNG View Status private => public