============================================
||| Security Advisory AKLINK-SA-2008-007 |||
============================================
CAcert - Cross Site Scripting
=============================
Date released: 29.09.2008
Date reported: 26.09.2008
$Revision: 1.1 $
by Alexander Klink
Cynops GmbH
a.klink@cynops.de
https://www.cynops.de/advisories/AKLINK-SA-2008-007.txt
(S/MIME signed: https://www.cynops.de/advisories/AKLINK-SA-2008-007-signed.txt)
https://www.klink.name/security/aklink-sa-2008-007-cacert-xss.txt
Vendor: CAcert
Product: CAcert - certificate authority providing free certificates
Website: http[s]://www.cacert.org
Vulnerability: non-persistent cross site scripting
Class: remote
Status: patched
Severity: moderate (authentication information may be stolen)
Releases known to be affected: cacert-20080921.tar.bz2
Releases known NOT to be affected: cacert-20080928.tar.bz2
+
Background:
CAcert is a certifificate authority that provides free certificates
to end users based on a web-of-trust assurance model.
+
Overview:
CAcert provides a page that allows a user to show information on
a given X.509 certificate. This page was vulnerable to a cross site
scripting attack, which might have led to session information of a
logged-in user being compromised.
+
Technical details:
http[s]://www.cacert.org/analyse.php contains the following code:
echo "<pre>";
print_r(openssl_x509_parse(openssl_x509_read($_POST['csr'])));
echo "</pre>";
which is used to dump the certificate details as parsed by the
openssl_x509_parse() PHP function.
No escaping whatsoever of this information is done, so an attacker
can create a certificate with HTML tags, which are then shown on the
page.
A PoC certificate can easily be creating using OpenSSL:
$ openssl req -new -x509 \
-subj "/CN=<\/pre><script>alert(document.cookies)<\/script><pre>"
+
Communication:
* 26.09.2008: Contacted Philipp Guehring about the issue
* 27.09.2008: Philipp informs me that the issue has been fixed
+
Solution:
Has been fixed by escaping the output using htmlspecialchars().
+
Credits:
- Alexander Klink, Cynops GmbH (discovery)