View Issue Details

IDProjectCategoryView StatusLast Update
0000183Main CAcert Websitesource codepublic2013-11-20 22:23
Reporteraanriot Assigned To 
Status closedResolutionfixed 
Fixed in Version2006 
Summary0000183: don't trust my names
DescriptionPossible mysql injection.

In line 328 in general.php the variable $dom is used to check if a domain is present in the database. As far as I can see this variable is directly extracted out the users csr without any further validation or parsing (besides a trim()).
Additional InformationUsing a carefully crafted csr it might be possible to exploit this for a mysql injection attack against. I'm not sure who much openssl rejects these certs but we shouldn't trust in openssl for parsing domain names ...

I DIDN'T TEST THIS and there is no POC but the path from the csr to $dom dosn't look very good:

$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep "Subject:"`);
$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
foreach($bits as $val)
$_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);

$bits = explode(": ", $_SESSION['_config']['subject'], 2);
$bits = str_replace(", ", "|", str_replace("/", "|", $bits['1']));
$bits = explode("|", $bits);

$split = explode("=", $val);
$split['1'] = trim($split['1']);
$_SESSION['_config'][$k] = $split['1']; ($k = $cnc.CN)
$CN = $_SESSION['_config']["$cnc.CN"];
$dom = $bits[$i] = explode(".", $CN);

Doing a mysql_escape_string() to the result of the openssl call shouldn't harm the process.

This may apply to other csr aswell (email cert, org cert, ...) and maybe even to the gpg signing request.
TagsNo tags attached.
Reviewed by
Test Instructions



2006-08-14 18:32

developer   ~0000464

$dom = mysql_real_escape_string($dom); * 5...

Issue History

Date Modified Username Field Change
2006-03-27 23:34 bluec New Issue
2006-04-20 19:32 bluec Relationship added related to 0000208
2006-08-14 18:28 duane Relationship deleted related to 0000208
2006-08-14 18:32 duane Status new => needs work
2006-08-14 18:32 duane Assigned To => bluec
2006-08-14 18:32 duane Status needs work => solved?
2006-08-14 18:32 duane Fixed in Version => production
2006-08-14 18:32 duane Resolution open => fixed
2006-08-14 18:32 duane Note Added: 0000464
2007-10-24 06:15 evaldo Reporter bluec => aanriot
2007-10-24 06:15 evaldo Assigned To bluec =>
2007-10-24 06:15 evaldo Status solved? => closed
2013-01-14 02:59 Werner Dworak Fixed in Version => 2006
2013-11-20 22:23 NEOatNHNG View Status private => public