View Issue Details

IDProjectCategoryView StatusLast Update
0000200Main CAcert Websiteweb of trustpublic2013-11-20 22:23
Reporteraanriot Assigned To 
Status closedResolutionfixed 
Fixed in Version2006 
Summary0000200: creating client certs with arbitrary names included
DescriptionThis bug hasn't been tested but looking at the sourcecode gives me a good impression that this will work.


If you've created a user account using the CAcert join function it is possible to change your account details until you received assurance points. The assurer will be checking your "current name in the database" and if this matches the details you provided on the WoT form you'll get your points.

If you want to create a client certificate including your name you need to have >=50 assurance points. The name that may be included into the certificate is NOT taken out of the database. Instead its taken out of $_SESSION['profile'] which is populated when you logon.

How to exploit it?

1. create a new account with the fake details you want on your client cert
2. login with two differnt browsers at the same time
   both $_SESSION['profile'] will be initialised with the fake details
3. use one account to change your details to something valid which you can
   prove to the assurer. This will be stored in the database
4. Get assured. The assurer is checking your details in the database
5. Use the second browser to create a client certificte. This browsers
   session still has your fake name in $_SESSION['profile'] which you will
   have included in your assured client certificate.
   As $_SESSION['profile']['points'] is updated every time you access a site
   this value will be updated but not your name.

At least the person that tries to exploit this has to authenticate against at least one assurer giving his real name and date of birth.

TagsNo tags attached.
Reviewed by
Test Instructions



2006-04-21 07:08

developer   ~0000170

the code already calcs points prior to a change, and doesn't just accept details of the session...

                $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
                $ddres = mysql_query($ddquery);
                $ddrow = mysql_fetch_assoc($ddres);
                $_SESSION['profile']['points'] = $ddrow['total'];
                if($_SESSION['profile']['points'] == 0)


2006-04-21 17:57

manager   ~0000179

The problem isn't the change of name. You are right, this is not possible once you have too many points.

BUT the users details (fname, lname, ...) are stored in the SESSION and the values from the SESSION will be used to verify the data a user wants to include in her certificate.

So if you create two sessions at the same time (using two browser) you can have one of the with your current and correct data (as stored in the database and verified by the assurer) and one with a wrong name (because sessions are never updated with the database while a user is logged on).


2006-04-21 18:24

developer   ~0000181

fail to see how this can be exploited, the system won't allow an update if the user has 1 or more points, the rest is purely informational...


2006-04-21 18:41

manager   ~0000183

It's not about the updating the details. It's about creating certificates.

While a user has 0 points he creates two browser sessions. One with fake details stored in SESSION[] and one with his correct name stored in SESSION[] and saved to the CAcert database. Now he asks someone to assure his correct name, but still the other session has stored the fake name (and won't update these values until the user logs out/in again).

If the user uses the old session with the fake details to create a certificate the will be able to include these fake details in the cert. Only the points are updated on every page access but not the details. That makes this exploit possible.


2006-08-14 02:07

developer   ~0000391

+ $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".$_SESSION['profile']['id']."'"));

then changed $_SESSION['profile']['fname'] to $user['fname'] etc...

Issue History

Date Modified Username Field Change
2006-04-09 22:08 bluec New Issue
2006-04-21 07:08 duane Status new => closed
2006-04-21 07:08 duane Note Added: 0000170
2006-04-21 07:08 duane Resolution open => no change required
2006-04-21 07:08 duane Fixed in Version => production
2006-04-21 17:57 bluec Note Added: 0000179
2006-04-21 17:57 bluec Assigned To => duane
2006-04-21 17:57 bluec Status closed => needs work
2006-04-21 17:58 bluec Resolution no change required => reopened
2006-04-21 18:24 duane Status needs work => closed
2006-04-21 18:24 duane Note Added: 0000181
2006-04-21 18:24 duane Resolution reopened => fixed
2006-04-21 18:41 bluec Note Added: 0000183
2006-04-21 18:41 bluec Status closed => needs work
2006-08-14 02:07 duane Status needs work => solved?
2006-08-14 02:07 duane Note Added: 0000391
2007-10-24 05:22 evaldo Reporter bluec => aanriot
2007-10-24 05:22 evaldo Assigned To duane =>
2007-10-24 05:22 evaldo Status solved? => closed
2011-06-22 00:09 edgarwahn Source_changeset_attached => cacert-devel release 5b68967d
2013-01-14 03:14 Werner Dworak Fixed in Version => 2006
2013-11-20 22:23 NEOatNHNG View Status private => public