View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000161 | Main CAcert Website | source code | public | 2006-03-06 01:25 | 2013-11-20 22:23 |
Reporter | aanriot | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 2006 | ||||
Summary | 0000161: concerning variable reuse | ||||
Description | I set this private because I'm not entirely sure that there is no way exploit this. The array $_SESSION['_config']['user'] is used in two different parts of the cacert website. Firstly in "Find an Assurer" and secondly in "My Details -> edit". In both cases the array is always filled with all details of an user (including lost password questions/answer). If you manage to change the content of the array between two different screens you might find a way to exploit it. It is possible to do this with the "Find an Assurer" function: 1. Search for any assurer 2. Open "My Details -> edit" in another window 3. Send message to assurer from step 1 4. Message will be sent to your account While this is not a big deal, I'm afraid that there might be a way to do it the other way round (display other peoples data in your "My Details -> edit". Currently it seems to be impossible only because: - if id==13 and ($_SESSION['_config']['user']['set'] != 1) the array will be reset to the current users values. As the "Find an Assurer" function doesn't set $_SESSION['_config']['user']['set'] there is no problem. - if oldid==13 and process!="" the first thing done is to overwrite the array with the data the user submitted. This overwrites the lost password details aswell. - it is not possible anymore(!) as direct access to account/13.php has been removed some hours ago. I'm afraid that only little changes to the code or website (e.g. adding a feature) might cause an unexpected change to the current situation and allow anyone to access other users profiles. I recommend to use different SESSION variables for both functions. | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
Date Modified | Username | Field | Change |
---|---|---|---|
2006-03-06 01:25 |
|
New Issue | |
2006-08-16 12:37 | duane | Status | new => needs work |
2006-08-16 12:37 | duane | Assigned To | => bluec |
2006-08-16 12:38 | duane | Status | needs work => solved? |
2006-08-16 12:38 | duane | Fixed in Version | => production |
2006-08-16 12:38 | duane | Resolution | open => fixed |
2006-08-16 12:38 | duane | Note Added: 0000522 | |
2007-10-24 06:07 | evaldo | Reporter | bluec => aanriot |
2007-10-24 06:07 | evaldo | Assigned To | bluec => |
2007-10-24 06:07 | evaldo | Status | solved? => closed |
2013-01-14 01:26 | Werner Dworak | Fixed in Version | => 2006 |
2013-11-20 22:23 | NEOatNHNG | View Status | private => public |