0000600: NS Client certs can be created with an arbitrary email address attached.

ID	Project	Category	View Status	Date Submitted	Last Update

0000600	Main CAcert Website	source code	public	2008-08-18 02:41	2013-11-20 22:23

Reporter	kriss	Assigned To	Sourcerer
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Fixed in Version	2008

Summary	0000600: NS Client certs can be created with an arbitrary email address attached.
Description	Another one of those lovely register_globals fallout bugs. An easy way to recreate the steps here is to use the Tamper Data firefox addon ( https://addons.mozilla.org/en-US/firefox/addon/966 ) 1. Go to https://secure.cacert.org/account.php?id=3, don't add an email address, add SSO information. 2. Choose keysize and submit. Tamper the request, adding "defaultemail=target@target.org" and "count=0.emailAddress = target@target.org%0A1" in the POSTdata. 3. Install your cert. (Slightly roundabout way of going about it, but hey..) Could obviously not be used to access cacert.org itself since it depends on SERIAL, but it's been confirmed to work on iis.se's domain admin page. It's possible that other nastyness could be performed using this attack vector, seeing that fairly arbitrary stuff can be sent into the CSR.
Tags	No tags attached.

Reviewed by
Test Instructions

Date Modified	Username	Field	Change
2008-08-18 02:41	kriss	New Issue
2008-08-18 10:23	Sourcerer	Note Added: 0001146
2008-08-18 10:23	Sourcerer	Status	new => solved?
2008-08-18 10:23	Sourcerer	Fixed in Version	=> production
2008-08-18 10:23	Sourcerer	Resolution	open => fixed
2008-08-18 10:23	Sourcerer	Assigned To	=> Sourcerer
2008-08-18 10:30	kriss	Note Added: 0001147
2008-08-18 10:30	kriss	Status	solved? => closed
2013-01-15 02:53	Werner Dworak	Fixed in Version	=> 2008
2013-11-20 22:23	NEOatNHNG	View Status	private => public

Sourcerer 2008-08-18 10:23 administrator ~0001146	Should be fixed, please test and close.

kriss 2008-08-18 10:30 reporter ~0001147	Verified.