View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000215 | Main CAcert Website | certificate issuing | public | 2006-04-23 12:36 | 2013-11-20 22:23 |
Reporter | Sourcerer | Assigned To | Sourcerer | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 2009 Q2 | ||||
Summary | 0000215: Challenge isn´t verified on SPKAC requests | ||||
Description | The SPKAC challenges aren´t verified by the system, making Replay-Attacks possible. At first the challenge is created as a MD5 hash from the random numbers: www/account/4.php line 0000127 On line 0000131, the challenge is delived to the browser. The hash doesn´t seem to be stored in the session or somewhere else. Then the SPKAC request is stored in the database in includes/account.php line 0000184 . (At that point, the challenge should be verified) Then the SPKAC requests are used in the script scripts/clientcerts.php line 0000047 | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
Date Modified | Username | Field | Change |
---|---|---|---|
2006-04-23 12:36 | Sourcerer | New Issue | |
2006-08-14 16:12 | duane | Status | new => needs work |
2006-08-14 16:12 | duane | Assigned To | => Sourcerer |
2009-04-26 21:26 | Sourcerer | Note Added: 0001390 | |
2009-04-26 21:26 | Sourcerer | Status | needs work => solved? |
2009-04-26 21:28 | Sourcerer | Status | solved? => closed |
2009-04-26 21:28 | Sourcerer | Resolution | open => fixed |
2013-01-14 08:10 | Werner Dworak | Fixed in Version | => 2009 Q2 |
2013-11-20 22:23 | NEOatNHNG | View Status | private => public |