"Arbitrary Code Execution via SQL injection on certain database fields"
This commit is contained in:
Mendel Mobach 2014-04-19 07:32:11 +00:00
parent ea8c675168
commit 1112d76dd5
4 changed files with 31 additions and 18 deletions

View file

@ -395,7 +395,8 @@ function buildSubjectFromSession() {
fputs($fp, $emails);
fclose($fp);
$challenge=$_SESSION['spkac_hash'];
$res=`openssl spkac -verify -in $CSRname`;
$CSRname_esc = escapeshellarg($CSRname);
$res=`openssl spkac -verify -in $CSRname_esc`;
if(!strstr($res,"Challenge String: ".$challenge))
{
$id = $oldid;
@ -457,7 +458,9 @@ function buildSubjectFromSession() {
$csrsubject .= "/emailAddress = ".$user['uniqueID'];
$tmpname = tempnam("/tmp", "id4csr");
$do = `/usr/bin/openssl req -in $tmpfname -out $tmpname`; // -subj "$csr"`;
$tmpfname_esc = escapeshellarg($tmpfname);
$tmpname_esc = escapeshellarg($tmpname);
$do = `/usr/bin/openssl req -in $tmpfname_esc -out $tmpname_esc`; // -subj "$csr"`;
@unlink($tmpfname);
$csr = "";
$fp = fopen($tmpname, "r");
@ -733,9 +736,9 @@ function buildSubjectFromSession() {
$fp = fopen($_SESSION['_config']['tmpfname'], "w");
fputs($fp, $CSR);
fclose($fp);
$CSR = $_SESSION['_config']['tmpfname'];
$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep "Subject:"`);
$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
$CSR = escapeshellarg($_SESSION['_config']['tmpfname']);
$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep "Subject:"`);
$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
foreach($bits as $val)
{
$_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@ -900,8 +903,9 @@ function buildSubjectFromSession() {
$newid = mysql_insert_id();
$newfile=generatecertpath("csr","server",$newid);
copy($row['csr_name'], $newfile);
$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$newfile"|tr -d "\\0"|grep "Subject:"`);
$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$newfile"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
$newfile_esc = escapeshellarg($newfile);
$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $newfile_esc |tr -d "\\0"|grep "Subject:"`);
$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $newfile_esc |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
foreach($bits as $val)
{
$_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@ -930,7 +934,8 @@ function buildSubjectFromSession() {
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
} else {
$drow = mysql_fetch_assoc($res);
$cert = `/usr/bin/openssl x509 -in $drow[crt_name]`;
$crt_name = escapeshellarg($drow['crt_name']);
$cert = `/usr/bin/openssl x509 -in $crt_name`;
echo "<pre>\n$cert\n</pre>\n";
}
}
@ -1552,7 +1557,8 @@ function buildSubjectFromSession() {
fputs($fp, $emails);
fclose($fp);
$challenge=$_SESSION['spkac_hash'];
$res=`openssl spkac -verify -in $CSRname`;
$CSRname_esc = escapeshellarg($CSRname);
$res=`openssl spkac -verify -in $CSRname_esc`;
if(!strstr($res,"Challenge String: ".$challenge))
{
$id = $oldid;
@ -1604,7 +1610,9 @@ function buildSubjectFromSession() {
$csrsubject .= "/countryName=".$org['C'];
$tmpname = tempnam("/tmp", "id17csr");
$do = `/usr/bin/openssl req -in $tmpfname -out $tmpname`;
$tmpfname_esc = escapeshellarg($tmpfname);
$tmpname_esc = escapeshellarg($tmpname);
$do = `/usr/bin/openssl req -in $tmpfname_esc -out $tmpname_esc`;
@unlink($tmpfname);
$csr = "";
$fp = fopen($tmpname, "r");
@ -1860,9 +1868,9 @@ function buildSubjectFromSession() {
$fp = fopen($_SESSION['_config']['tmpfname'], "w");
fputs($fp, $CSR);
fclose($fp);
$CSR = $_SESSION['_config']['tmpfname'];
$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep "Subject:"`);
$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
$CSR = escapeshellarg($_SESSION['_config']['tmpfname']);
$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep "Subject:"`);
$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
foreach($bits as $val)
{
$_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@ -2080,7 +2088,8 @@ function buildSubjectFromSession() {
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." newid: $newid", "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
} else {
$drow = mysql_fetch_assoc($res);
$cert = `/usr/bin/openssl x509 -in $drow[crt_name]`;
$crtname = escapeshellarg($drow['crt_name']);
$cert = `/usr/bin/openssl x509 -in $crtname`;
echo "<pre>\n$cert\n</pre>\n";
}
}

View file

@ -38,7 +38,8 @@
{
$row['crt_name'] = str_replace("../", "www/", $row['crt_name']);
$row['crt_name'] = "/home/cacert/".$row['crt_name'];
$subject = `openssl x509 -in '$row[crt_name]' -text -noout|grep Subject:`;
$crt_name = escapeshellarg($row['crt_name']);
$subject = `openssl x509 -in $crt_name -text -noout|grep Subject:`;
$bits = explode("/", $subject);
foreach($bits as $val)
{

View file

@ -29,10 +29,11 @@
if(!is_file($file))
continue;
$file_esc = escapeshellarg($file);
if(substr($file, -3) == "der")
$do = trim(`openssl x509 -inform der -in $file -text -noout 2>&1 |grep 'Exponent'`);
$do = trim(`openssl x509 -inform der -in $file_esc -text -noout 2>&1 |grep 'Exponent'`);
else
$do = trim(`openssl x509 -in $file -text -noout 2>&1 |grep 'Exponent'`);
$do = trim(`openssl x509 -in $file_esc -text -noout 2>&1 |grep 'Exponent'`);
if($do == "")
continue;

View file

@ -73,7 +73,9 @@ require_once '../../includes/lib/check_weak_key.php';
$fp = fopen($incsr, "w");
fputs($fp, $CSR);
fclose($fp);
$do = `/usr/bin/openssl req -in $incsr -out $checkedcsr`;
$incsr_esc = escapeshellarg($incsr);
$checkedcsr_esc = escapeshellarg($checkedcsr);
$do = `/usr/bin/openssl req -in $incsr_esc -out $checkedcsr_esc`;
@unlink($incsr);
if(filesize($checkedcsr) <= 0)
die("404,Invalid or missing CSR");