From ac5d02a3071e9bcfac244d70c5350e8510ee25a3 Mon Sep 17 00:00:00 2001
From: root <root@www.cacert.org>
Date: Mon, 27 Nov 2006 23:10:08 +0000
Subject: [PATCH] stamp attack fix

---
 stamp/certdet.php  | 78 ++++++++++++++++++++++++++++------------------
 stamp/displogo.php | 14 +++++++++
 stamp/report.php   |  4 +--
 stamp/style.css    |  2 +-
 www/src-lic.php    |  2 +-
 5 files changed, 65 insertions(+), 35 deletions(-)

diff --git a/stamp/certdet.php b/stamp/certdet.php
index c665dc6..fd74812 100644
--- a/stamp/certdet.php
+++ b/stamp/certdet.php
@@ -7,49 +7,65 @@
 	$arr = explode("/", $arr['1'], 2);
 	$ref = $arr['0'];
 
-	$query = "select *,`domaincerts`.`created` as `issued` from `domlink`,`domains`,`domaincerts`
-			where `domlink`.`domid`=`domains`.`id` and `domlink`.`certid`=`domaincerts`.`id` and `domaincerts`.`revoked`=0 and
-			`domaincerts`.`subject` like '%subjectAltName=DNS:$ref/%' order by `domaincerts`.`id`";
-	$res = mysql_query($query);
-	if(mysql_num_rows($res) <= 0)
-	{
-		$bits = explode(".", $ref);
-		for($i = 1; $i < count($bits); $i++)
-		{
-			if($ref2 != "")
-				$ref2 .= ".";
-			$ref2 .= $bits[$i];
-		}
+        $arr = explode("//", mysql_real_escape_string(trim($_SERVER['HTTP_REFERER'])), 2);
+        $arr = explode("/", $arr['1'], 2);
+        $siteref = $arr['0'];
+
+        if($ref == "" || ($ref != $siteref && $siteref != ""))
+        {
+		if($siteref != "")
+			$siterefer = $_SERVER['HTTP_REFERER'];
+		else
+			$siterefer = $_REQUEST['refer'];
+		$invalid = 2;
+        } else {
 		$query = "select *,`domaincerts`.`created` as `issued` from `domlink`,`domains`,`domaincerts`
 				where `domlink`.`domid`=`domains`.`id` and `domlink`.`certid`=`domaincerts`.`id` and `domaincerts`.`revoked`=0 and
-				(`domaincerts`.`subject` like '%subjectAltName=DNS:$ref2/%' or `domaincerts`.`subject` like '%subjectAltName=DNS:*.$ref2/%')
-				order by `domaincerts`.`id`";
+				`domaincerts`.`subject` like '%subjectAltName=DNS:$ref/%' order by `domaincerts`.`id`";
 		$res = mysql_query($query);
 		if(mysql_num_rows($res) <= 0)
 		{
-			$query = "select *,`orgdomaincerts`.`created` as `issued` from `orgdomaincerts`,`orgdomlink`,`orgdomains` where
-					(`orgdomaincerts`.`subject` like '%=$ref%' or `orgdomaincerts`.`subject` like '%=*.$ref2%') and
-					`orgdomaincerts`.`id`=`orgdomlink`.`orgcertid` and `orgdomlink`.`orgdomid`=`orgdomains`.`id` and
-					`orgdomaincerts`.`revoked`=0 order by `orgdomaincerts`.`id`";
+			$bits = explode(".", $ref);
+			for($i = 1; $i < count($bits); $i++)
+			{
+				if($ref2 != "")
+					$ref2 .= ".";
+				$ref2 .= $bits[$i];
+			}
+			$query = "select *,`domaincerts`.`created` as `issued` from `domlink`,`domains`,`domaincerts`
+					where `domlink`.`domid`=`domains`.`id` and `domlink`.`certid`=`domaincerts`.`id` and `domaincerts`.`revoked`=0 and
+					(`domaincerts`.`subject` like '%subjectAltName=DNS:$ref2/%' or `domaincerts`.`subject` like '%subjectAltName=DNS:*.$ref2/%')
+					order by `domaincerts`.`id`";
 			$res = mysql_query($query);
 			if(mysql_num_rows($res) <= 0)
 			{
-				$invalid = 1;
-			} else {
-				$org = 1;
+				$query = "select *,`orgdomaincerts`.`created` as `issued` from `orgdomaincerts`,`orgdomlink`,`orgdomains` where
+						(`orgdomaincerts`.`subject` like '%=$ref%' or `orgdomaincerts`.`subject` like '%=*.$ref2%') and
+						`orgdomaincerts`.`id`=`orgdomlink`.`orgcertid` and `orgdomlink`.`orgdomid`=`orgdomains`.`id` and
+						`orgdomaincerts`.`revoked`=0 order by `orgdomaincerts`.`id`";
+				$res = mysql_query($query);
+				if(mysql_num_rows($res) <= 0)
+				{
+					$invalid = 1;
+				} else {
+					$org = 1;
+				}
 			}
 		}
 	}
 
-	$cert = mysql_fetch_assoc($res);
-	if($org == 0)
+	if($invalid == 0)
 	{
-		$query = "SELECT *, sum(`points`) AS `total` FROM `users`, `notary` WHERE `users`.`id` = '$cert[memid]' AND
-				`notary`.`to` = `users`.`id` and `notary`.`when` <= '$cert[issued]' GROUP BY `notary`.`to`";
-		$user = mysql_fetch_assoc(mysql_query($query));
-	} else {
-		$query = "select * from `orginfo` where `id`='$cert[orgid]'";
-		$orgi = mysql_fetch_assoc(mysql_query($query));
+		$cert = mysql_fetch_assoc($res);
+		if($org == 0)
+		{
+			$query = "SELECT *, sum(`points`) AS `total` FROM `users`, `notary` WHERE `users`.`id` = '$cert[memid]' AND
+					`notary`.`to` = `users`.`id` and `notary`.`when` <= '$cert[issued]' GROUP BY `notary`.`to`";
+			$user = mysql_fetch_assoc(mysql_query($query));
+		} else {
+			$query = "select * from `orginfo` where `id`='$cert[orgid]'";
+			$orgi = mysql_fetch_assoc(mysql_query($query));
+		}
 	}
 ?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <html>
@@ -90,7 +106,7 @@ google_ad_channel = "";
 <? } else { ?>
 	<p style="color:red">This site has potentially abused CAcert logos and Copyrights, please report it so we may further investigate.</p>
 <? } ?>
-	<p><a href="report.php?refer=<?=$_REQUEST['refer']?>">Problem with this site? Please report it</a></p>
+	<p><a href="report.php?refer=<?=$siterefer?>">Problem with this site? Please report it</a></p>
     </div>
    </div>
 </body>
diff --git a/stamp/displogo.php b/stamp/displogo.php
index 4ad092f..4045d63 100644
--- a/stamp/displogo.php
+++ b/stamp/displogo.php
@@ -4,9 +4,23 @@
 	$arr = explode("/", $arr['1'], 2);
 	$ref = $arr['0'];
 
+	$arr = explode("//", mysql_real_escape_string(trim($_SERVER['HTTP_REFERER'])), 2);
+	$arr = explode("/", $arr['1'], 2);
+	$siteref = $arr['0'];
+
+
 	header('Content-type: image/png');
 	$im = imagecreatefrompng($img);
 
+	if($ref == "" || ($ref != $siteref && $siteref != ""))
+	{
+		$tc = imagecolorallocate ($im, 255, 0, 0);
+		imagestring ($im, 2, 1, 30, "INVALID DOMAIN", $tc);
+		imagestring ($im, 2, 1, 45, "Click to Report", $tc);
+		imagepng($im);
+		exit;	
+	}
+
 	$query = "select * from `domlink`,`domains`,`domaincerts`
 			where `domlink`.`domid`=`domains`.`id` and `domlink`.`certid`=`domaincerts`.`id` and `domaincerts`.`revoked`=0 and
 			`domaincerts`.`subject` like '%subjectAltName=DNS:$ref/%' order by `domaincerts`.`id`";
diff --git a/stamp/report.php b/stamp/report.php
index f9125bc..58ca22c 100644
--- a/stamp/report.php
+++ b/stamp/report.php
@@ -41,7 +41,7 @@
 		$body .= "Reason: $reason\n";
 		$body .= "Comment: $comment\n";
 
-		sendmail("cacert-abuse@lists.cacert.org,$email", "[CAcert.org] Abuse Report.", $body, "website@cacert.org", "", "", "CAcert Website");
+		sendmail("cacert-abuse@lists.cacert.org", "[CAcert.org] Abuse Report.", $body, "website@cacert.org", "", "", "CAcert Website");
 	}
 
 ?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
@@ -87,7 +87,7 @@ google_ad_channel = "";
 	<label for="sub">&nbsp;</label><input type="submit" name="process" value="Report Site"><br />
       </form>
 <? } else { ?>
-      <p>We thank you for your attention to detail, your report has been accepted and we will tend to your report as soon as humanly possible. You will receive a confirmation of your report by email.</p>
+      <p>We thank you for your attention to detail, your report has been accepted and we will tend to your report as soon as humanly possible.</p>
 <? } ?>
     </div>
    </div>
diff --git a/stamp/style.css b/stamp/style.css
index c0e4422..79d3c35 100644
--- a/stamp/style.css
+++ b/stamp/style.css
@@ -607,7 +607,7 @@ label {
 
 label,input,select {
 	display: block;
-	width: 150px;
+	width: 250px;
 	float: left;
 	margin-bottom: 10px;
 }
diff --git a/www/src-lic.php b/www/src-lic.php
index 6b986dc..9cdc5c7 100644
--- a/www/src-lic.php
+++ b/www/src-lic.php
@@ -1,7 +1,7 @@
 <?
 	if($process == "Confirm, I agree to these terms and conditions" && $iagree == "yes")
 	{
-		$output_file = $fname = "cacert-20060817.tar.bz2";
+		$output_file = $fname = "cacert-20061128.tar.bz2";
 
 		header('Pragma: public');