View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001291 | Main CAcert Website | web of trust | public | 2014-07-26 14:59 | 2014-11-21 06:49 |
| Reporter | Eva | Assigned To | NEOatNHNG | ||
| Priority | immediate | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 2012 Q2 | ||||
| Target Version | 2014 Q3 | Fixed in Version | 2014 Q3 | ||
| Summary | 0001291: executable code can be entered in location field, executable on wot15 | ||||
| Description | It is possible to enter executable code in the location field of assurances. WoT 10 will escape such entries. WoT 15 does not. An exploit works there. This is described in a dispute from 2012-05-22. It would be good if a) WoT15 would escape the display of such codes b) it would be blocked such entries into the location field at all, for example by refusing to accept anything that contains "<" followed later by ">". | ||||
| Steps To Reproduce | Assure an account with "<script type="text/javascript">alert("FAIL!");</script>" Go to WoT 15 for assurer, assuree or support console. A popup with "Fail!" will appear. (Other things like bold or italic ... can also be entered, but are not critcal.) | ||||
| Additional Information | I tested this with the Account KatziAdmin@cacert.org doing assurances over Miraculix@acme.com (<script>bla</script>) Idefix@acme.com (bla) // bla in italic Asterix@acme.com (<script type="text/javascript">alert("FAIL!");</script>) | ||||
| Tags | No tags attached. | ||||
| Reviewed by | NEOatNHNG, BenBE | ||||
| Test Instructions | |||||
|
|
I tried the same things on the free fields of the account creation page for the account blablub@acme.com. The last name, pw and one pw-answer were "<script type="text/javascript">alert("FAIL!");</script>", all other free fields had entries with ... or .... It seemed that all entries were escaped before they were entered in the DB, at least I did not find any hint anywhere (own account, assurer, support) that the tags were entered. They seem to be removed (or escaped in the case of the PW. However when I entered the PW in the test-management-page for the email-ping, the script was executed. |
|
|
After this post from Eva, I look via SE console in the account of blablub@acme.com First Name: bla Middle Name: blub Last Name: alert("FAIL!"); I change to Middle Name: <script type="text/javascript">alert("FAIL!");</script>and push the Go Button the SE Console show First Name: bla Middle Name: alert(\"FAIL!\"); Last Name: alert(\"FAIL!\"); |
|
|
Ready for testing on testserver. |
|
|
1. checked how old entries worked: I looked at WoT15 points for KatziAdmin@cacert.org Miraculix@acme.com Idefix@acme.com Asterix@acme.com -> everything was escaped correctly -> ok I looked from the support console on the WoT15 assurances of the following accounts: Miraculix@acme.com Idefix@acme.com Asterix@acme.com -> everything was escaped correctly -> ok 2. checked with new assurance I entered an assurnance from Asterix@acme.com over Miraculix@acme.com with the location <script type="text/javascript">alert("FAIL!");</script> Then I checked: - points of Asterix@acme.com (WoT10 and WoT15) - points of Miraculix@acme.com (WoT10 and WoT15) - support console, assurances given by Asterix@acme.com (WoT10 and WoT15) - support console, assurances gotten by Miraculix@acme.com (WoT10 and WoT15) -> everything was escaped correctly -> ok => ok for behavior change of WoT 15 |
|
|
I assured 2001.jan14@acme.com with <script type="text/javascript">alert("FAIL!");</script>in the location field. No popup was given. => ok Looking at my points no popup => ok Looking at SE console no popup => ok Location shows alert("FAIL!") => ok => ok |
|
|
I tried to assure an account with syntactic incorrect but possibly working entry <script type="text/javascript">alert("FAIL!"); in location field. Assurance was done with KatziAdmin@cacert.org over 2001.jan14@acme.com When I looked at the tables there was always the correct entry (checked with looking at source). => ok |
|
|
Added workaround for issue reported by magu on wot 6. Please retest. Especially umlauts, special characters and other stuff. |
|
|
I do not know WHAT should be re-tested. Also the question is: is this bug the same bug, as the original reported one? If not, please move this to another bug, so that they do not have to wait for each other. |
|
|
Could you please explain the issue and how to test if it is fixed? |
|
|
I have reviewed the changes and they look OK. Testing: try to insert malicious content into the name fields, the location, and the date and check if it is effective in the new point overview (wot 15) or in the assure someone page (wot 6). Also try some special but allowable inputs such as special characters not in latin1. |
|
|
I assured an account with umlauts. I detected no issue. But I did not detect issues with this, befor the followup-patch. I used again <script type="text/javascript">alert("FAIL!");</script> in the location field. Had no problems in any of the views afterwards. => ok |
|
|
Minor fixup to resynchronize the calculation of the wothash based on the name of the user. While the wot/6.php included the sanitizing it was missing in www/wot.php causing failures to assure some users. This has just been fixed by pulling the escaping to be present at the place where it is checked. This should not require to repeat the review; though I'm open if anyone sees need anyway. |
|
|
My last test was after the last change from Benny (see changelog), as I first was not able to finish the assurance for said test and only could do so after his change. |
|
|
use <script type="text/javascript">alert("FAIL!");</script>
assure special account
location -> OK
names
history -> OK
SE -> OK
10 -> OK
15 -> OK
=> OK
|
|
|
The fix has been installed on the production server on August 9, 2014. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-08/msg00006.html |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2014-07-26 14:59 | Eva | New Issue | |
| 2014-07-26 14:59 | Eva | Assigned To | => NEOatNHNG |
| 2014-07-26 18:22 | Eva | Note Added: 0004893 | |
| 2014-07-26 18:25 | Eva | Additional Information Updated | |
| 2014-07-26 18:28 | MartinGummi | Note Added: 0004894 | |
| 2014-07-26 18:29 | MartinGummi | Note Edited: 0004894 | |
| 2014-07-26 18:30 | MartinGummi | Steps to Reproduce Updated | |
| 2014-07-26 18:30 | MartinGummi | Additional Information Updated | |
| 2014-07-26 18:31 | MartinGummi | Steps to Reproduce Updated | |
| 2014-07-26 18:31 | MartinGummi | Steps to Reproduce Updated | |
| 2014-07-26 18:31 | MartinGummi | Additional Information Updated | |
| 2014-07-26 18:32 | MartinGummi | Additional Information Updated | |
| 2014-07-27 11:00 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable eab48f34 |
| 2014-07-27 11:00 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 89901a37 |
| 2014-07-27 11:00 | BenBE | Reviewed by | => BenBE |
| 2014-07-27 11:00 | BenBE | Note Added: 0004896 | |
| 2014-07-27 11:00 | BenBE | Status | new => needs review & testing |
| 2014-07-27 11:00 | BenBE | Category | website content => web of trust |
| 2014-07-27 11:00 | BenBE | Product Version | => 2012 Q2 |
| 2014-07-27 11:00 | BenBE | Target Version | => 2014 Q3 |
| 2014-07-27 11:12 | Eva | Note Added: 0004898 | |
| 2014-07-27 11:45 | INOPIAE | Note Added: 0004899 | |
| 2014-07-27 12:28 | Eva | Note Added: 0004900 | |
| 2014-07-27 12:28 | Eva | Note Edited: 0004900 | |
| 2014-07-27 14:30 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 17f46a81 |
| 2014-07-27 14:30 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable ba17817e |
| 2014-07-27 14:31 | BenBE | Note Added: 0004901 | |
| 2014-07-27 14:45 | Eva | Note Added: 0004902 | |
| 2014-07-27 14:48 | Eva | Note Edited: 0004902 | |
| 2014-07-27 21:13 | Eva | Note Added: 0004904 | |
| 2014-07-28 11:48 | NEOatNHNG | Reviewed by | BenBE => NEOatNHNG, BenBE |
| 2014-07-28 11:48 | NEOatNHNG | Note Added: 0004905 | |
| 2014-07-28 11:48 | NEOatNHNG | Status | needs review & testing => needs testing |
| 2014-07-28 11:50 | NEOatNHNG | Note Edited: 0004905 | |
| 2014-07-29 21:30 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 32ea5681 |
| 2014-07-29 21:30 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable b2f8a5d2 |
| 2014-07-29 21:48 | Eva | Note Added: 0004906 | |
| 2014-07-29 21:50 | BenBE | Note Added: 0004907 | |
| 2014-07-29 21:56 | Eva | Note Added: 0004909 | |
| 2014-07-29 23:19 | MartinGummi | Note Added: 0004912 | |
| 2014-07-29 23:20 | MartinGummi | Note Edited: 0004912 | |
| 2014-08-05 20:15 | MartinGummi | Status | needs testing => ready to deploy |
| 2014-08-09 09:15 | BenBE | Source_changeset_attached | => cacert-devel release 3641ed05 |
| 2014-08-09 09:22 | wytze | Note Added: 0004928 | |
| 2014-08-09 09:22 | wytze | Status | ready to deploy => solved? |
| 2014-08-09 09:22 | wytze | Fixed in Version | => 2014 Q3 |
| 2014-08-09 09:22 | wytze | Resolution | open => fixed |
| 2014-08-09 11:58 | BenBE | View Status | private => public |
| 2014-11-21 06:49 | INOPIAE | Status | solved? => closed |
