what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AKLINK-SA-2008-007.txt

AKLINK-SA-2008-007.txt
Posted Sep 29, 2008
Authored by Alexander Klink | Site cynops.de

CAcert suffered from a cross site scripting vulnerability when parsing a given X.509 certificate.

tags | advisory, xss
SHA-256 | 010dc8224e527b25fcbaf1dd8c4db3d011ad35ad977a4c283f92787b8471e40c

AKLINK-SA-2008-007.txt

Change Mirror Download
Hi,

normally I wouldn't bother much posting a simple XSS here, but I'll
make an exception for CAcert today.

Kriss Andsten's blog post
(http://www.shortpacket.org/2008/08/cacertorg-you-got-what-you-paid-for.html)
made me want to take a look at the CAcert source myself, and so I did
on Friday. It certainly isn't up to secure coding practices, they quote
all HTML output and all MySQL queries manually, and so they are bound to
occasionally miss something - like they did in analyse.php.

Being an open source (PKI) developer, I'd be happy to see a free (not only
as in beer, but also as in speech) CA that is widely accepted - having
glanced shortly at the code (same as Kriss, I wouldn't be surprised if
there is more to be found if you know more about PHP security than me),
I wonder if CAcert is that CA ...

Enough rambling, here you go:

============================================
||| Security Advisory AKLINK-SA-2008-007 |||
============================================

CAcert - Cross Site Scripting
=============================

Date released: 29.09.2008
Date reported: 26.09.2008
$Revision: 1.1 $

by Alexander Klink
Cynops GmbH
a.klink@cynops.de
https://www.cynops.de/advisories/AKLINK-SA-2008-007.txt
(S/MIME signed: https://www.cynops.de/advisories/AKLINK-SA-2008-007-signed.txt)
https://www.klink.name/security/aklink-sa-2008-007-cacert-xss.txt

Vendor: CAcert
Product: CAcert - certificate authority providing free certificates
Website: http[s]://www.cacert.org
Vulnerability: non-persistent cross site scripting
Class: remote
Status: patched
Severity: moderate (authentication information may be stolen)
Releases known to be affected: cacert-20080921.tar.bz2
Releases known NOT to be affected: cacert-20080928.tar.bz2

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:

CAcert is a certifificate authority that provides free certificates
to end users based on a web-of-trust assurance model.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

CAcert provides a page that allows a user to show information on
a given X.509 certificate. This page was vulnerable to a cross site
scripting attack, which might have led to session information of a
logged-in user being compromised.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

http[s]://www.cacert.org/analyse.php contains the following code:

echo "<pre>";
print_r(openssl_x509_parse(openssl_x509_read($_POST['csr'])));
echo "</pre>";

which is used to dump the certificate details as parsed by the
openssl_x509_parse() PHP function.
No escaping whatsoever of this information is done, so an attacker
can create a certificate with HTML tags, which are then shown on the
page.

A PoC certificate can easily be creating using OpenSSL:

$ openssl req -new -x509 \
-subj "/CN=<\/pre><script>alert(document.cookies)<\/script><pre>"

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

* 26.09.2008: Contacted Philipp Guehring about the issue
* 27.09.2008: Philipp informs me that the issue has been fixed

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

Has been fixed by escaping the output using htmlspecialchars().

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:

- Alexander Klink, Cynops GmbH (discovery)


Cheers,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@cynops.de
mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer:
Bad Homburg v. d. Höhe | | Martin Bartosch
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close