View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000200||Main CAcert Website||web of trust||public||2006-04-09 22:08||2013-11-20 22:23|
|Fixed in Version||2006|
|Summary||0000200: creating client certs with arbitrary names included|
|Description||This bug hasn't been tested but looking at the sourcecode gives me a good impression that this will work.|
If you've created a user account using the CAcert join function it is possible to change your account details until you received assurance points. The assurer will be checking your "current name in the database" and if this matches the details you provided on the WoT form you'll get your points.
If you want to create a client certificate including your name you need to have >=50 assurance points. The name that may be included into the certificate is NOT taken out of the database. Instead its taken out of $_SESSION['profile'] which is populated when you logon.
How to exploit it?
1. create a new account with the fake details you want on your client cert
2. login with two differnt browsers at the same time
both $_SESSION['profile'] will be initialised with the fake details
3. use one account to change your details to something valid which you can
prove to the assurer. This will be stored in the database
4. Get assured. The assurer is checking your details in the database
5. Use the second browser to create a client certificte. This browsers
session still has your fake name in $_SESSION['profile'] which you will
have included in your assured client certificate.
As $_SESSION['profile']['points'] is updated every time you access a site
this value will be updated but not your name.
At least the person that tries to exploit this has to authenticate against at least one assurer giving his real name and date of birth.
|Tags||No tags attached.|
the code already calcs points prior to a change, and doesn't just accept details of the session...
$ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
$ddres = mysql_query($ddquery);
$ddrow = mysql_fetch_assoc($ddres);
$_SESSION['profile']['points'] = $ddrow['total'];
if($_SESSION['profile']['points'] == 0)
The problem isn't the change of name. You are right, this is not possible once you have too many points.
BUT the users details (fname, lname, ...) are stored in the SESSION and the values from the SESSION will be used to verify the data a user wants to include in her certificate.
So if you create two sessions at the same time (using two browser) you can have one of the with your current and correct data (as stored in the database and verified by the assurer) and one with a wrong name (because sessions are never updated with the database while a user is logged on).
||fail to see how this can be exploited, the system won't allow an update if the user has 1 or more points, the rest is purely informational...|
It's not about the updating the details. It's about creating certificates.
While a user has 0 points he creates two browser sessions. One with fake details stored in SESSION and one with his correct name stored in SESSION and saved to the CAcert database. Now he asks someone to assure his correct name, but still the other session has stored the fake name (and won't update these values until the user logs out/in again).
If the user uses the old session with the fake details to create a certificate the will be able to include these fake details in the cert. Only the points are updated on every page access but not the details. That makes this exploit possible.
+ $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".$_SESSION['profile']['id']."'"));
then changed $_SESSION['profile']['fname'] to $user['fname'] etc...
|2006-04-21 07:08||duane||Status||new => closed|
|2006-04-21 07:08||duane||Note Added: 0000170|
|2006-04-21 07:08||duane||Resolution||open => no change required|
|2006-04-21 07:08||duane||Fixed in Version||=> production|
||Note Added: 0000179|
||Assigned To||=> duane|
||Status||closed => needs work|
||Resolution||no change required => reopened|
|2006-04-21 18:24||duane||Status||needs work => closed|
|2006-04-21 18:24||duane||Note Added: 0000181|
|2006-04-21 18:24||duane||Resolution||reopened => fixed|
||Note Added: 0000183|
||Status||closed => needs work|
|2006-08-14 02:07||duane||Status||needs work => solved?|
|2006-08-14 02:07||duane||Note Added: 0000391|
|2007-10-24 05:22||evaldo||Reporter||bluec => aanriot|
|2007-10-24 05:22||evaldo||Assigned To||duane =>|
|2007-10-24 05:22||evaldo||Status||solved? => closed|
|2011-06-22 00:09||edgarwahn||Source_changeset_attached||=> cacert-devel release 5b68967d|
|2013-01-14 03:14||Werner Dworak||Fixed in Version||=> 2006|
|2013-11-20 22:23||NEOatNHNG||View Status||private => public|