View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000289 | Main CAcert Website | misc | public | 2006-08-11 15:44 | 2013-11-20 22:23 |
Reporter | aanriot | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 2006 | ||||
Summary | 0000289: Exploiting whois and the add domain function | ||||
Description | If you try to add the new domain -v name@domain.com one of the authority addresses will be \"name@domain.com\" because the -v option causes whois to complain with % "name@domain.com" is not a known object type. It's not directly exploitable this way but there might be cases that create a valid email address and allow a bad domainname to be verified in the database. Especially looking at multiple domain name certificates this might even be highly security related! At least it is possible to introduce crap into the database and this might even be exploitable for XSS against the system administrators. I recommend to check for valid domainnames or at least remove all leading dashes and all blank or @ chacracters from string and apply htmlentities(). The escapeshellarg() is definetly NOT enough! | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
related to | 0000592 | confirmed | The domain name checking have to be improved to be auditable |
|
# whois -v yahoo.com % This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Note: the default output of the RIPE Whois server % is changed. Your tools may need to be adjusted. See % http://www.ripe.net/db/news/abuse-proposal-20050331.html % for more details. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html %ERROR:103: unknown object type % % "yahoo.com" is not a known object type. % Use "-q types" to list known object types. |
|
line 328 of includes/account.php + list($newdomain, $crud) = explode(" ", $newdomain, 2); + while($newdomain['0'] == '-') + $newdomain = substr($newdomain, 1); |
|
bluec, can you please verify whether it was corrected properly now, and close this bug, in case? |
Date Modified | Username | Field | Change |
---|---|---|---|
2006-08-11 15:44 |
|
New Issue | |
2006-08-13 05:43 | duane | Note Added: 0000365 | |
2006-08-13 05:49 | duane | Note Added: 0000366 | |
2006-08-13 05:50 | duane | Status | new => solved? |
2006-08-13 05:50 | duane | Fixed in Version | => production |
2006-08-13 05:50 | duane | Resolution | open => fixed |
2006-08-13 05:50 | duane | Assigned To | => duane |
2006-08-13 06:28 | Sourcerer | Note Added: 0000369 | |
2007-10-24 06:21 | evaldo | Reporter | bluec => aanriot |
2007-10-24 06:21 | evaldo | Assigned To | duane => |
2007-10-24 06:21 | evaldo | Status | solved? => closed |
2008-08-12 15:09 | homer | Relationship added | related to 0000592 |
2013-01-14 10:54 | Werner Dworak | Fixed in Version | => 2006 |
2013-11-20 22:23 | NEOatNHNG | View Status | private => public |