View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000161||Main CAcert Website||source code||public||2006-03-06 01:25||2013-11-20 22:23|
|Fixed in Version||2006|
|Summary||0000161: concerning variable reuse|
|Description||I set this private because I'm not entirely sure that there is no way exploit this.|
The array $_SESSION['_config']['user'] is used in two different parts of the cacert website. Firstly in "Find an Assurer" and secondly in "My Details -> edit". In both cases the array is always filled with all details of an user (including lost password questions/answer).
If you manage to change the content of the array between two different screens you might find a way to exploit it. It is possible to do this with the "Find an Assurer" function:
1. Search for any assurer
2. Open "My Details -> edit" in another window
3. Send message to assurer from step 1
4. Message will be sent to your account
While this is not a big deal, I'm afraid that there might be a way to do it the other way round (display other peoples data in your "My Details -> edit".
Currently it seems to be impossible only because:
- if id==13 and ($_SESSION['_config']['user']['set'] != 1) the array will
be reset to the current users values. As the "Find an Assurer" function
doesn't set $_SESSION['_config']['user']['set'] there is no problem.
- if oldid==13 and process!="" the first thing done is to overwrite the
array with the data the user submitted. This overwrites the lost password
- it is not possible anymore(!) as direct access to account/13.php has
been removed some hours ago.
I'm afraid that only little changes to the code or website (e.g. adding a feature) might cause an unexpected change to the current situation and allow anyone to access other users profiles.
I recommend to use different SESSION variables for both functions.
|Tags||No tags attached.|
|2006-08-16 12:37||duane||Status||new => needs work|
|2006-08-16 12:37||duane||Assigned To||=> bluec|
|2006-08-16 12:38||duane||Status||needs work => solved?|
|2006-08-16 12:38||duane||Fixed in Version||=> production|
|2006-08-16 12:38||duane||Resolution||open => fixed|
|2006-08-16 12:38||duane||Note Added: 0000522|
|2007-10-24 06:07||evaldo||Reporter||bluec => aanriot|
|2007-10-24 06:07||evaldo||Assigned To||bluec =>|
|2007-10-24 06:07||evaldo||Status||solved? => closed|
|2013-01-14 01:26||Werner Dworak||Fixed in Version||=> 2006|
|2013-11-20 22:23||NEOatNHNG||View Status||private => public|