View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000600 | Main CAcert Website | source code | public | 2008-08-18 02:41 | 2013-11-20 22:23 |
Reporter | kriss | Assigned To | Sourcerer | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 2008 | ||||
Summary | 0000600: NS Client certs can be created with an arbitrary email address attached. | ||||
Description | Another one of those lovely register_globals fallout bugs. An easy way to recreate the steps here is to use the Tamper Data firefox addon ( https://addons.mozilla.org/en-US/firefox/addon/966 ) 1. Go to https://secure.cacert.org/account.php?id=3, don't add an email address, add SSO information. 2. Choose keysize and submit. Tamper the request, adding "defaultemail=target@target.org" and "count=0.emailAddress = target@target.org%0A1" in the POSTdata. 3. Install your cert. (Slightly roundabout way of going about it, but hey..) Could obviously not be used to access cacert.org itself since it depends on SERIAL, but it's been confirmed to work on iis.se's domain admin page. It's possible that other nastyness could be performed using this attack vector, seeing that fairly arbitrary stuff can be sent into the CSR. | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
Date Modified | Username | Field | Change |
---|---|---|---|
2008-08-18 02:41 | kriss | New Issue | |
2008-08-18 10:23 | Sourcerer | Note Added: 0001146 | |
2008-08-18 10:23 | Sourcerer | Status | new => solved? |
2008-08-18 10:23 | Sourcerer | Fixed in Version | => production |
2008-08-18 10:23 | Sourcerer | Resolution | open => fixed |
2008-08-18 10:23 | Sourcerer | Assigned To | => Sourcerer |
2008-08-18 10:30 | kriss | Note Added: 0001147 | |
2008-08-18 10:30 | kriss | Status | solved? => closed |
2013-01-15 02:53 | Werner Dworak | Fixed in Version | => 2008 |
2013-11-20 22:23 | NEOatNHNG | View Status | private => public |