cacert/cacert-webdb
9
0
Fork 0
Code Issues Pull requests 3 Projects Releases 4 Wiki Activity

fix for https://bugs.cacert.org/view.php?id=1272

Browse source 
"Arbitrary Code Execution via SQL injection on certain database fields"
This commit is contained in:
Mendel Mobach 2014-04-19 07:32:11 +00:00
parent ea8c675168
commit 1112d76dd5
4 changed files with 31 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
includes/account.php
View file

@ -395,7 +395,8 @@ function buildSubjectFromSession() {
fputs($fp, $emails); fputs($fp, $emails);
fclose($fp); fclose($fp);
$challenge=$_SESSION['spkac_hash']; $challenge=$_SESSION['spkac_hash'];
$res=`openssl spkac -verify -in $CSRname`; $CSRname_esc = escapeshellarg($CSRname);
$res=`openssl spkac -verify -in $CSRname_esc`;
if(!strstr($res,"Challenge String: ".$challenge)) if(!strstr($res,"Challenge String: ".$challenge))
{ {
$id = $oldid; $id = $oldid;
@ -457,7 +458,9 @@ function buildSubjectFromSession() {
$csrsubject .= "/emailAddress = ".$user['uniqueID']; $csrsubject .= "/emailAddress = ".$user['uniqueID'];
$tmpname = tempnam("/tmp", "id4csr"); $tmpname = tempnam("/tmp", "id4csr");
$do = `/usr/bin/openssl req -in $tmpfname -out $tmpname`; // -subj "$csr"`; $tmpfname_esc = escapeshellarg($tmpfname);
$tmpname_esc = escapeshellarg($tmpname);
$do = `/usr/bin/openssl req -in $tmpfname_esc -out $tmpname_esc`; // -subj "$csr"`;
@unlink($tmpfname); @unlink($tmpfname);
$csr = ""; $csr = "";
$fp = fopen($tmpname, "r"); $fp = fopen($tmpname, "r");
@ -733,9 +736,9 @@ function buildSubjectFromSession() {
$fp = fopen($_SESSION['_config']['tmpfname'], "w"); $fp = fopen($_SESSION['_config']['tmpfname'], "w");
fputs($fp, $CSR); fputs($fp, $CSR);
fclose($fp); fclose($fp);
$CSR = $_SESSION['_config']['tmpfname']; $CSR = escapeshellarg($_SESSION['_config']['tmpfname']);
$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep "Subject:"`); $_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep "Subject:"`);
$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`)); $bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
foreach($bits as $val) foreach($bits as $val)
{ {
$_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val); $_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@ -900,8 +903,9 @@ function buildSubjectFromSession() {
$newid = mysql_insert_id(); $newid = mysql_insert_id();
$newfile=generatecertpath("csr","server",$newid); $newfile=generatecertpath("csr","server",$newid);
copy($row['csr_name'], $newfile); copy($row['csr_name'], $newfile);
$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$newfile"|tr -d "\\0"|grep "Subject:"`); $newfile_esc = escapeshellarg($newfile);
$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$newfile"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`)); $_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $newfile_esc |tr -d "\\0"|grep "Subject:"`);
$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $newfile_esc |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
foreach($bits as $val) foreach($bits as $val)
{ {
$_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val); $_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@ -930,7 +934,8 @@ function buildSubjectFromSession() {
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>"); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
} else { } else {
$drow = mysql_fetch_assoc($res); $drow = mysql_fetch_assoc($res);
$cert = `/usr/bin/openssl x509 -in $drow[crt_name]`; $crt_name = escapeshellarg($drow['crt_name']);
$cert = `/usr/bin/openssl x509 -in $crt_name`;
echo "<pre>\n$cert\n</pre>\n"; echo "<pre>\n$cert\n</pre>\n";
} }
} }
@ -1552,7 +1557,8 @@ function buildSubjectFromSession() {
fputs($fp, $emails); fputs($fp, $emails);
fclose($fp); fclose($fp);
$challenge=$_SESSION['spkac_hash']; $challenge=$_SESSION['spkac_hash'];
$res=`openssl spkac -verify -in $CSRname`; $CSRname_esc = escapeshellarg($CSRname);
$res=`openssl spkac -verify -in $CSRname_esc`;
if(!strstr($res,"Challenge String: ".$challenge)) if(!strstr($res,"Challenge String: ".$challenge))
{ {
$id = $oldid; $id = $oldid;
@ -1604,7 +1610,9 @@ function buildSubjectFromSession() {
$csrsubject .= "/countryName=".$org['C']; $csrsubject .= "/countryName=".$org['C'];
$tmpname = tempnam("/tmp", "id17csr"); $tmpname = tempnam("/tmp", "id17csr");
$do = `/usr/bin/openssl req -in $tmpfname -out $tmpname`; $tmpfname_esc = escapeshellarg($tmpfname);
$tmpname_esc = escapeshellarg($tmpname);
$do = `/usr/bin/openssl req -in $tmpfname_esc -out $tmpname_esc`;
@unlink($tmpfname); @unlink($tmpfname);
$csr = ""; $csr = "";
$fp = fopen($tmpname, "r"); $fp = fopen($tmpname, "r");
@ -1860,9 +1868,9 @@ function buildSubjectFromSession() {
$fp = fopen($_SESSION['_config']['tmpfname'], "w"); $fp = fopen($_SESSION['_config']['tmpfname'], "w");
fputs($fp, $CSR); fputs($fp, $CSR);
fclose($fp); fclose($fp);
$CSR = $_SESSION['_config']['tmpfname']; $CSR = escapeshellarg($_SESSION['_config']['tmpfname']);
$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep "Subject:"`); $_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep "Subject:"`);
$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`)); $bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
foreach($bits as $val) foreach($bits as $val)
{ {
$_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val); $_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@ -2080,7 +2088,8 @@ function buildSubjectFromSession() {
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." newid: $newid", "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>"); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." newid: $newid", "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
} else { } else {
$drow = mysql_fetch_assoc($res); $drow = mysql_fetch_assoc($res);
$cert = `/usr/bin/openssl x509 -in $drow[crt_name]`; $crtname = escapeshellarg($drow['crt_name']);
$cert = `/usr/bin/openssl x509 -in $crtname`;
echo "<pre>\n$cert\n</pre>\n"; echo "<pre>\n$cert\n</pre>\n";
} }
} }

3
scripts/cron/warning.php
View file

@ -38,7 +38,8 @@
{ {
$row['crt_name'] = str_replace("../", "www/", $row['crt_name']); $row['crt_name'] = str_replace("../", "www/", $row['crt_name']);
$row['crt_name'] = "/home/cacert/".$row['crt_name']; $row['crt_name'] = "/home/cacert/".$row['crt_name'];
$subject = `openssl x509 -in '$row[crt_name]' -text -noout|grep Subject:`; $crt_name = escapeshellarg($row['crt_name']);
$subject = `openssl x509 -in $crt_name -text -noout|grep Subject:`;
$bits = explode("/", $subject); $bits = explode("/", $subject);
foreach($bits as $val) foreach($bits as $val)
{ {

5
scripts/scanforexponents.php
View file

@ -29,10 +29,11 @@
if(!is_file($file)) if(!is_file($file))
continue; continue;
$file_esc = escapeshellarg($file);
if(substr($file, -3) == "der") if(substr($file, -3) == "der")
$do = trim(`openssl x509 -inform der -in $file -text -noout 2>&1 |grep 'Exponent'`); $do = trim(`openssl x509 -inform der -in $file_esc -text -noout 2>&1 |grep 'Exponent'`);
else else
$do = trim(`openssl x509 -in $file -text -noout 2>&1 |grep 'Exponent'`); $do = trim(`openssl x509 -in $file_esc -text -noout 2>&1 |grep 'Exponent'`);
if($do == "") if($do == "")
continue; continue;

4
www/api/ccsr.php
View file

@ -73,7 +73,9 @@ require_once '../../includes/lib/check_weak_key.php';
$fp = fopen($incsr, "w"); $fp = fopen($incsr, "w");
fputs($fp, $CSR); fputs($fp, $CSR);
fclose($fp); fclose($fp);
$do = `/usr/bin/openssl req -in $incsr -out $checkedcsr`; $incsr_esc = escapeshellarg($incsr);
$checkedcsr_esc = escapeshellarg($checkedcsr);
$do = `/usr/bin/openssl req -in $incsr_esc -out $checkedcsr_esc`;
@unlink($incsr); @unlink($incsr);
if(filesize($checkedcsr) <= 0) if(filesize($checkedcsr) <= 0)
die("404,Invalid or missing CSR"); die("404,Invalid or missing CSR");