View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000183 | Main CAcert Website | source code | public | 2006-03-27 23:34 | 2013-11-20 22:23 |
| Reporter | aanriot | Assigned To | |||
| Priority | immediate | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 2006 | ||||
| Summary | 0000183: don't trust my names | ||||
| Description | Possible mysql injection. In line 328 in general.php the variable $dom is used to check if a domain is present in the database. As far as I can see this variable is directly extracted out the users csr without any further validation or parsing (besides a trim()). | ||||
| Additional Information | Using a carefully crafted csr it might be possible to exploit this for a mysql injection attack against. I'm not sure who much openssl rejects these certs but we shouldn't trust in openssl for parsing domain names ... I DIDN'T TEST THIS and there is no POC but the path from the csr to $dom dosn't look very good: $_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep "Subject:"`); $bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`)); foreach($bits as $val) { $_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val); } $bits = explode(": ", $_SESSION['_config']['subject'], 2); $bits = str_replace(", ", "|", str_replace("/", "|", $bits['1'])); $bits = explode("|", $bits); $split = explode("=", $val); $split['1'] = trim($split['1']); $_SESSION['_config'][$k] = $split['1']; ($k = $cnc.CN) $CN = $_SESSION['_config']["$cnc.CN"]; $dom = $bits[$i] = explode(".", $CN); Doing a mysql_escape_string() to the result of the openssl call shouldn't harm the process. This may apply to other csr aswell (email cert, org cert, ...) and maybe even to the gpg signing request. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2006-03-27 23:34 |
|
New Issue | |
| 2006-04-20 19:32 |
|
Relationship added | related to 0000208 |
| 2006-08-14 18:28 | duane | Relationship deleted | related to 0000208 |
| 2006-08-14 18:32 | duane | Status | new => needs work |
| 2006-08-14 18:32 | duane | Assigned To | => bluec |
| 2006-08-14 18:32 | duane | Status | needs work => solved? |
| 2006-08-14 18:32 | duane | Fixed in Version | => production |
| 2006-08-14 18:32 | duane | Resolution | open => fixed |
| 2006-08-14 18:32 | duane | Note Added: 0000464 | |
| 2007-10-24 06:15 | evaldo | Reporter | bluec => aanriot |
| 2007-10-24 06:15 | evaldo | Assigned To | bluec => |
| 2007-10-24 06:15 | evaldo | Status | solved? => closed |
| 2013-01-14 02:59 | Werner Dworak | Fixed in Version | => 2006 |
| 2013-11-20 22:23 | NEOatNHNG | View Status | private => public |
