CAcert - Cross Site Scripting

2009.08.24
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

============================================ ||| Security Advisory AKLINK-SA-2008-007 ||| ============================================ CAcert - Cross Site Scripting ============================= Date released: 29.09.2008 Date reported: 26.09.2008 $Revision: 1.1 $ by Alexander Klink Cynops GmbH a.klink@cynops.de https://www.cynops.de/advisories/AKLINK-SA-2008-007.txt (S/MIME signed: https://www.cynops.de/advisories/AKLINK-SA-2008-007-signed.txt) https://www.klink.name/security/aklink-sa-2008-007-cacert-xss.txt Vendor: CAcert Product: CAcert - certificate authority providing free certificates Website: http[s]://www.cacert.org Vulnerability: non-persistent cross site scripting Class: remote Status: patched Severity: moderate (authentication information may be stolen) Releases known to be affected: cacert-20080921.tar.bz2 Releases known NOT to be affected: cacert-20080928.tar.bz2 + Background: CAcert is a certifificate authority that provides free certificates to end users based on a web-of-trust assurance model. + Overview: CAcert provides a page that allows a user to show information on a given X.509 certificate. This page was vulnerable to a cross site scripting attack, which might have led to session information of a logged-in user being compromised. + Technical details: http[s]://www.cacert.org/analyse.php contains the following code: echo "<pre>"; print_r(openssl_x509_parse(openssl_x509_read($_POST['csr']))); echo "</pre>"; which is used to dump the certificate details as parsed by the openssl_x509_parse() PHP function. No escaping whatsoever of this information is done, so an attacker can create a certificate with HTML tags, which are then shown on the page. A PoC certificate can easily be creating using OpenSSL: $ openssl req -new -x509 \ -subj "/CN=<\/pre><script>alert(document.cookies)<\/script><pre>" + Communication: * 26.09.2008: Contacted Philipp Guehring about the issue * 27.09.2008: Philipp informs me that the issue has been fixed + Solution: Has been fixed by escaping the output using htmlspecialchars(). + Credits: - Alexander Klink, Cynops GmbH (discovery)

References:

http://xforce.iss.net/xforce/xfdb/45515
http://www.securityfocus.com/bid/31481
http://www.cynops.de/advisories/AKLINK-SA-2008-007.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top