Home page logo

fulldisclosure logo Full Disclosure mailing list archives

CAcert non-persistent XSS
From: Alexander Klink <a.klink () cynops de>
Date: Mon, 29 Sep 2008 10:27:37 +0200


normally I wouldn't bother much posting a simple XSS here, but I'll
make an exception for CAcert today.

Kriss Andsten's blog post 
made me want to take a look at the CAcert source myself, and so I did
on Friday. It certainly isn't up to secure coding practices, they quote
all HTML output and all MySQL queries manually, and so they are bound to
occasionally miss something - like they did in analyse.php.

Being an open source (PKI) developer, I'd be happy to see a free (not only
as in beer, but also as in speech) CA that is widely accepted - having
glanced shortly at the code (same as Kriss, I wouldn't be surprised if
there is more to be found if you know more about PHP security than me),
I wonder if CAcert is that CA ...

Enough rambling, here you go:

||| Security Advisory AKLINK-SA-2008-007 |||

CAcert - Cross Site Scripting

Date released: 29.09.2008
Date reported: 26.09.2008
$Revision: 1.1 $

by Alexander Klink
   Cynops GmbH
   a.klink () cynops de
   (S/MIME signed: https://www.cynops.de/advisories/AKLINK-SA-2008-007-signed.txt)

Vendor: CAcert
Product: CAcert - certificate authority providing free certificates
Website: http[s]://www.cacert.org
Vulnerability: non-persistent cross site scripting
Class: remote
Status: patched
Severity: moderate (authentication information may be stolen)
Releases known to be affected: cacert-20080921.tar.bz2
Releases known NOT to be affected: cacert-20080928.tar.bz2


CAcert is a certifificate authority that provides free certificates
to end users based on a web-of-trust assurance model.


CAcert provides a page that allows a user to show information on
a given X.509 certificate. This page was vulnerable to a cross site
scripting attack, which might have led to session information of a
logged-in user being compromised.

Technical details:

http[s]://www.cacert.org/analyse.php contains the following code:

    echo "<pre>";
    echo "</pre>";

which is used to dump the certificate details as parsed by the
openssl_x509_parse() PHP function.
No escaping whatsoever of this information is done, so an attacker
can create a certificate with HTML tags, which are then shown on the

A PoC certificate can easily be creating using OpenSSL:

$ openssl req -new -x509 \
              -subj "/CN=<\/pre><script>alert(document.cookies)<\/script><pre>"


* 26.09.2008: Contacted Philipp Guehring about the issue
* 27.09.2008: Philipp informs me that the issue has been fixed


Has been fixed by escaping the output using htmlspecialchars().


- Alexander Klink, Cynops GmbH (discovery)

Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink () cynops de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch

Attachment: smime.p7s

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • CAcert non-persistent XSS Alexander Klink (Sep 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]