View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000215 | Main CAcert Website | certificate issuing | public | 2006-04-23 12:36 | 2013-11-20 22:23 |
| Reporter | Sourcerer | Assigned To | Sourcerer | ||
| Priority | urgent | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 2009 Q2 | ||||
| Summary | 0000215: Challenge isn´t verified on SPKAC requests | ||||
| Description | The SPKAC challenges aren´t verified by the system, making Replay-Attacks possible. At first the challenge is created as a MD5 hash from the random numbers: www/account/4.php line 0000127 On line 0000131, the challenge is delived to the browser. The hash doesn´t seem to be stored in the session or somewhere else. Then the SPKAC request is stored in the database in includes/account.php line 0000184 . (At that point, the challenge should be verified) Then the SPKAC requests are used in the script scripts/clientcerts.php line 0000047 | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2006-04-23 12:36 | Sourcerer | New Issue | |
| 2006-08-14 16:12 | duane | Status | new => needs work |
| 2006-08-14 16:12 | duane | Assigned To | => Sourcerer |
| 2009-04-26 21:26 | Sourcerer | Note Added: 0001390 | |
| 2009-04-26 21:26 | Sourcerer | Status | needs work => solved? |
| 2009-04-26 21:28 | Sourcerer | Status | solved? => closed |
| 2009-04-26 21:28 | Sourcerer | Resolution | open => fixed |
| 2013-01-14 08:10 | Werner Dworak | Fixed in Version | => 2009 Q2 |
| 2013-11-20 22:23 | NEOatNHNG | View Status | private => public |
