View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000595Main CAcert Websitesource codepublic2008-08-14 02:042013-01-15 02:49
Reporterkriss Assigned ToTheSourcerer  
PriorityimmediateSeveritycrashReproducibilityalways
Status closedResolutionfixed 
PlatformMain CAcert Website 
Fixed in Version2008 
Summary0000595: Arbitrary addition to list of email addresses valid to verify a domain as being under the control of the user.
DescriptionPlain and simple:

https://www.cacert.org/account.php?oldid=7&newdomain=yahoo.jp&adds[]=your@email.here

This will only work for the .jp domain, since spec'ing any other TLD will initialize the adds array to whatever the WHOIS information gives. Seems to be a case of register_globals + PHP being overly helpful in making an array for us + very, very bad coding standards from a security perspective.
Additional InformationYou'll find packetlogic.jp assigned to kriss@proceranetworks.com using this exploit, no certificate created / nothing to revoke. (PacketLogic is a trademark/product of Procera Networks and packetlogic.jp is owned by a local partner, so I don't foresee that anyone would have much of a legal or administrative issue with this.)
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

2008-08-14 02:04

 

yahoo.png (25,100 bytes)   
yahoo.png (25,100 bytes)   

homer

2008-08-14 08:41

reporter   ~0001140

I have tried it. And it works. Thanks for reporting.

Sourcerer

2008-08-14 08:56

administrator   ~0001141

I think I fixed that bug. Please test it. Does anyone have an idea, why the .jp domains were explicitly not using whois?

Sourcerer

2008-08-14 11:49

administrator   ~0001142

Solution has been verified and acknowledged.

Issue History

Date Modified Username Field Change
2008-08-14 02:04 kriss New Issue
2008-08-14 02:04 kriss File Added: yahoo.png
2008-08-14 08:41 homer Note Added: 0001140
2008-08-14 08:41 homer Assigned To => TheSourcerer
2008-08-14 08:41 homer Priority normal => immediate
2008-08-14 08:41 homer Severity major => crash
2008-08-14 08:41 homer Status new => confirmed
2008-08-14 08:41 homer Platform => Main CAcert Website
2008-08-14 08:56 Sourcerer Note Added: 0001141
2008-08-14 08:56 Sourcerer Status confirmed => solved?
2008-08-14 08:56 Sourcerer Fixed in Version => production
2008-08-14 08:56 Sourcerer Resolution open => fixed
2008-08-14 11:48 Sourcerer Note View State: 1140: public
2008-08-14 11:49 Sourcerer Note Added: 0001142
2008-08-14 11:49 Sourcerer Status solved? => closed
2008-08-14 12:08 Sourcerer View Status private => public
2013-01-15 02:49 Werner Dworak Fixed in Version => 2008