View Issue Details

IDProjectCategoryView StatusLast Update
0000161Main CAcert Websitesource codepublic2013-11-20 22:23
Reporteraanriot Assigned To 
Status closedResolutionfixed 
Fixed in Version2006 
Summary0000161: concerning variable reuse
DescriptionI set this private because I'm not entirely sure that there is no way exploit this.

The array $_SESSION['_config']['user'] is used in two different parts of the cacert website. Firstly in "Find an Assurer" and secondly in "My Details -> edit". In both cases the array is always filled with all details of an user (including lost password questions/answer).

If you manage to change the content of the array between two different screens you might find a way to exploit it. It is possible to do this with the "Find an Assurer" function:

  1. Search for any assurer
  2. Open "My Details -> edit" in another window
  3. Send message to assurer from step 1
  4. Message will be sent to your account

While this is not a big deal, I'm afraid that there might be a way to do it the other way round (display other peoples data in your "My Details -> edit".

Currently it seems to be impossible only because:

 - if id==13 and ($_SESSION['_config']['user']['set'] != 1) the array will
   be reset to the current users values. As the "Find an Assurer" function
   doesn't set $_SESSION['_config']['user']['set'] there is no problem.

 - if oldid==13 and process!="" the first thing done is to overwrite the
   array with the data the user submitted. This overwrites the lost password
   details aswell.

 - it is not possible anymore(!) as direct access to account/13.php has
   been removed some hours ago.

I'm afraid that only little changes to the code or website (e.g. adding a feature) might cause an unexpected change to the current situation and allow anyone to access other users profiles.

I recommend to use different SESSION variables for both functions.
TagsNo tags attached.
Reviewed by
Test Instructions



2006-08-16 12:38

developer   ~0000522

In pages/account/13.php...

$user = $_SESSION['profile'];
sed s/$_SESSION['config']['user']/$user/

Issue History

Date Modified Username Field Change
2006-03-06 01:25 bluec New Issue
2006-08-16 12:37 duane Status new => needs work
2006-08-16 12:37 duane Assigned To => bluec
2006-08-16 12:38 duane Status needs work => solved?
2006-08-16 12:38 duane Fixed in Version => production
2006-08-16 12:38 duane Resolution open => fixed
2006-08-16 12:38 duane Note Added: 0000522
2007-10-24 06:07 evaldo Reporter bluec => aanriot
2007-10-24 06:07 evaldo Assigned To bluec =>
2007-10-24 06:07 evaldo Status solved? => closed
2013-01-14 01:26 Werner Dworak Fixed in Version => 2006
2013-11-20 22:23 NEOatNHNG View Status private => public