View Issue Details

IDProjectCategoryView StatusLast Update
0000215Main CAcert Websitecertificate issuingpublic2013-11-20 22:23
ReporterSourcerer Assigned ToSourcerer  
Status closedResolutionfixed 
Fixed in Version2009 Q2 
Summary0000215: Challenge isn´t verified on SPKAC requests
DescriptionThe SPKAC challenges aren´t verified by the system, making Replay-Attacks possible.

At first the challenge is created as a MD5 hash from the random numbers:
www/account/4.php line 0000127
On line 0000131, the challenge is delived to the browser.
The hash doesn´t seem to be stored in the session or somewhere else.

Then the SPKAC request is stored in the database in includes/account.php line 0000184 . (At that point, the challenge should be verified)

Then the SPKAC requests are used in the script
scripts/clientcerts.php line 0000047

TagsNo tags attached.
Reviewed by
Test Instructions



2009-04-26 21:26

administrator   ~0001390

Protection mechanism has been added.

Issue History

Date Modified Username Field Change
2006-04-23 12:36 Sourcerer New Issue
2006-08-14 16:12 duane Status new => needs work
2006-08-14 16:12 duane Assigned To => Sourcerer
2009-04-26 21:26 Sourcerer Note Added: 0001390
2009-04-26 21:26 Sourcerer Status needs work => solved?
2009-04-26 21:28 Sourcerer Status solved? => closed
2009-04-26 21:28 Sourcerer Resolution open => fixed
2013-01-14 08:10 Werner Dworak Fixed in Version => 2009 Q2
2013-11-20 22:23 NEOatNHNG View Status private => public