View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000161 | Main CAcert Website | source code | public | 2006-03-06 01:25 | 2013-11-20 22:23 |
| Reporter | aanriot | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 2006 | ||||
| Summary | 0000161: concerning variable reuse | ||||
| Description | I set this private because I'm not entirely sure that there is no way exploit this. The array $_SESSION['_config']['user'] is used in two different parts of the cacert website. Firstly in "Find an Assurer" and secondly in "My Details -> edit". In both cases the array is always filled with all details of an user (including lost password questions/answer). If you manage to change the content of the array between two different screens you might find a way to exploit it. It is possible to do this with the "Find an Assurer" function: 1. Search for any assurer 2. Open "My Details -> edit" in another window 3. Send message to assurer from step 1 4. Message will be sent to your account While this is not a big deal, I'm afraid that there might be a way to do it the other way round (display other peoples data in your "My Details -> edit". Currently it seems to be impossible only because: - if id==13 and ($_SESSION['_config']['user']['set'] != 1) the array will be reset to the current users values. As the "Find an Assurer" function doesn't set $_SESSION['_config']['user']['set'] there is no problem. - if oldid==13 and process!="" the first thing done is to overwrite the array with the data the user submitted. This overwrites the lost password details aswell. - it is not possible anymore(!) as direct access to account/13.php has been removed some hours ago. I'm afraid that only little changes to the code or website (e.g. adding a feature) might cause an unexpected change to the current situation and allow anyone to access other users profiles. I recommend to use different SESSION variables for both functions. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2006-03-06 01:25 |
|
New Issue | |
| 2006-08-16 12:37 | duane | Status | new => needs work |
| 2006-08-16 12:37 | duane | Assigned To | => bluec |
| 2006-08-16 12:38 | duane | Status | needs work => solved? |
| 2006-08-16 12:38 | duane | Fixed in Version | => production |
| 2006-08-16 12:38 | duane | Resolution | open => fixed |
| 2006-08-16 12:38 | duane | Note Added: 0000522 | |
| 2007-10-24 06:07 | evaldo | Reporter | bluec => aanriot |
| 2007-10-24 06:07 | evaldo | Assigned To | bluec => |
| 2007-10-24 06:07 | evaldo | Status | solved? => closed |
| 2013-01-14 01:26 | Werner Dworak | Fixed in Version | => 2006 |
| 2013-11-20 22:23 | NEOatNHNG | View Status | private => public |
