View Issue Details

IDProjectCategoryView StatusLast Update
0000148Main CAcert WebsiteGPG/PGPpublic2013-01-13 17:01
ReporterbluecAssigned To 
Status closedResolutionfixed 
Fixed in Version2006 
Summary0000148: site shouldn't rely on magic_quotes_gpc turned on
DescriptionIf you submit the following as a gpg CSR

  /tmp\\"; touch /tmp/OWNED \\"

it is extended to

  /tmp\\\\\"; touch /tmp/OWNED \\\\\"

by the magic_quotes_gpc function of php.

Although this saves us I still consider it as a minor risk to the security of the server. If magic_quotes would accidently been turned off an attacker could execute shell commands with the rights of the webserver.

Using addslashes() together with get_magic_quotes_gpc() should keep the CSR intact and the server secure.
TagsNo tags attached.
Reviewed by
Test Instructions


related to 0000245 closed Shell escape 



2006-08-14 02:56

developer   ~0000399

Bug 0000245 resolved this issue.

Issue History

Date Modified Username Field Change
2006-03-04 13:01 bluec New Issue
2006-05-28 21:51 bluec Relationship added related to 0000245
2006-08-14 02:56 duane Status new => closed
2006-08-14 02:56 duane Note Added: 0000399
2006-08-14 02:56 duane Resolution open => fixed
2013-01-13 17:01 Werner Dworak Fixed in Version => 2006