View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000286||Main CAcert Website||my account||public||2006-08-08 10:18||2013-11-20 22:23|
|Fixed in Version||2006|
|Summary||0000286: language issues (1/2)|
|Description||In includes/general.php line 91 the client provided environment variable $_SERVER['HTTP_ACCEPT_LANGUAGE'] is split into $val and $short without any parsing.|
There might be a way to set $_SESSION['_config']['language'] to arbitrary values by exploiting file_exists() which may lead to further issues such as sql injection or XSS!
There is no PoC and I'm not even sure if it acually is exploitable but we better make sure.
|Tags||No tags attached.|
||This is a non issue, while the original string isn't dealt with differently the section checking files limits strings to 2 characters, which if you can exploit is news to me...|
Last edited: 2006-08-08 20:37
Never ever allow for unescaped ' in mysql queries! The limit you are talking about is at 5 characters for the $_SESSION['_config']['language'] variable and it _is_ possible to exploit mysql with such a short string.
Look at '-- x which would reset the language field for all users if you can get it into the query string as the language name. Not even magic_quotes_gpc covers $_SERVER['HTTP_ACCEPT_LANGUAGE'] so a user can set it to whatever she likes.
Currently the security of the site relays on
1. blanks are removed by str_replace(" ", "", $_SERVER['HTTP_ACCEPT_LANGUAGE'])
This will case the example above to fail with a mysql_error because '--x is not valid. Are you sure there is no alternative for " "?
2. file_exists() does not return true for nonexisting message.po files.
I've no time to search for exploits to file_exists() so please fix this before someone else finds out that $something passed to file_exists() will always return true ...
- $bits = explode(",", strtolower(str_replace(" ", "", $_SERVER['HTTP_ACCEPT_LANGUAGE'])));
+ $bits = explode(",", strtolower(str_replace(" ", "", mysql_real_escape_string($_SERVER['HTTP_ACCEPT_LANGUAGE']))));
+ $val = substr(escapeshellarg($val), 1, -1);
$short = substr($val, 0, 2);
|2006-08-08 10:56||duane||Status||new => closed|
|2006-08-08 10:56||duane||Note Added: 0000350|
|2006-08-08 10:56||duane||Resolution||open => no change required|
||Note Added: 0000353|
||Status||closed => needs feedback|
||Resolution||no change required => reopened|
||Note Edited: 0000353|
|2006-08-09 00:18||duane||Note Added: 0000354|
|2006-08-09 00:19||duane||Status||needs feedback => solved?|
|2006-08-09 00:19||duane||Fixed in Version||=> production|
|2006-08-09 00:19||duane||Resolution||reopened => fixed|
|2006-08-09 00:19||duane||Assigned To||=> duane|
|2007-10-24 06:22||evaldo||Reporter||bluec => aanriot|
|2007-10-24 06:22||evaldo||Assigned To||duane =>|
|2007-10-24 06:22||evaldo||Status||solved? => closed|
|2013-01-14 10:49||Werner Dworak||Fixed in Version||=> 2006|
|2013-11-20 22:23||NEOatNHNG||View Status||private => public|