| blob | 3b4961db6e73ca14c9b7926fd27c89d1af8426b1 |
1 OpenCA Security Advisory: Cross Site Scripting vulnerability
3 Authors
4 Martin Bartosch <mb-bugtraq@cynops.de>
5 Michael Bell <michael.bell@cms.hu-berlin.de>
7 2004-09-01 Initial revision
8 2004-09-06 Public release
9 2004-09-07 OpenCA 0.9.1-10 released (initial bugfix release contained a bug)
10 2004-09-23 Fixed advisory released
12 Summary
13 -------
15 The OpenCA Project is a collaborative effort to develop a robust,
16 full-featured and Open Source out-of-the-box Certification Authority
17 implementing the most used protocols with full-strength cryptography
18 world-wide. OpenCA is based on many Open-Source Projects. Among the
19 supported software is OpenLDAP, OpenSSL, Apache Project, Apache mod_ssl.
21 A Cross Site Scripting (XSS) vulnerability was found in the OpenCA PKI
22 software, allowing users of the system to inject malicious HTML
23 code into the system. The malicious code may even affect offline
24 components.
27 Affected versions
28 -----------------
30 All versions of OpenCA, including 0.9.1-8 and 0.9.2 RC6.
33 Details
34 -------
36 Form input to the web frontends is not properly validated, making it
37 possible to inject malicious HTML code into the system. Once the
38 offending code has been inserted into the system, it may affect
39 PKI staff or other users accessing the data.
41 OpenCA advocates the separation between individual frontends and the
42 use of an offline CA and RA. In this case data is exchanged using
43 a removable medium such as a floppy disk. The offending code embedded
44 in the user data may thus be transferred even to systems not connected
45 to a network and might be used to attack offline nodes.
48 Impact
49 ------
51 Cross site scripting attacks primarily affect the client system
52 running the browser used to display the web page. OpenCA itself is
53 not directly affected by such attacks. However, XSS exploit
54 code may be deployed e. g. in order to gain session credentials,
55 allowing for session takeover. More advanced attacks (requiring
56 specially crafted exploit code) could even be targeted at manipulating
57 data on the OpenCA node on the user's behalf.
60 Recommendations
61 ---------------
63 All users of OpenCA should upgrade to a version that is not affected
64 by the problem.
66 OpenCA version 0.9.1 users are encouraged to upgrade to version 0.9.1-9.
67 Users of the current development branch 0.9.2 should upgrade to CVS
68 head.
72 References
73 ----------
75 The Common Vulnerabilities and Exposures project (cve.mitre.org) has
76 assigned the name CAN-2004-0787 to this issue.
78 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0787
80 URL for this Security Advisory:
81 http://www.openca.org/news/CAN-2004-0787.txt
85 Appendix
86 --------
88 Security Patches
90 ###########################################################################
91 ## Patches against version 0.9.2
92 ###########################################################################
94 Index: src/common/lib/functions/initServer
95 ===================================================================
96 RCS file: /cvsroot/openca/openca-0.9/src/common/lib/functions/initServer,v
97 retrieving revision 1.40
98 diff -u -r1.40 initServer
99 --- src/common/lib/functions/initServer 30 Aug 2004 12:31:53 -0000 1.40
100 +++ src/common/lib/functions/initServer 1 Sep 2004 13:27:27 -0000
101 @@ -184,6 +184,10 @@
102 $query->set_gettext (\&i18nGettext);
103 close ($fh);
105 + ## validate input data
106 + ## 2004-08-27 Martin Bartosch <m.bartosch@cynops.de>
107 + validateCGIParameters(\$query);
108 +
109 ## reinit configuration
110 my $CONFIG = $AUTOCONF {"etc_prefix"}.'/servers/'.$AUTOCONF {"config_prefix"}.'.conf';
111 if( not defined (my $ret = $config->loadCfg( "$CONFIG" )) ) {
112 Index: src/common/lib/functions/misc-utils.lib
113 ===================================================================
114 RCS file: /cvsroot/openca/openca-0.9/src/common/lib/functions/misc-utils.lib,v
115 retrieving revision 1.50
116 diff -u -r1.50 misc-utils.lib
117 --- src/common/lib/functions/misc-utils.lib 26 Aug 2004 14:08:03 -0000 1.50
118 +++ src/common/lib/functions/misc-utils.lib 1 Sep 2004 13:27:27 -0000
119 @@ -443,4 +443,39 @@
120 debug ($cmd, @_);
121 }
123 +# 2004-08-31 Martin Bartosch <m.bartosch@cynops.de>
124 +# clean up CGI parameters
125 +# input: reference to CGI class instance
126 +# This function modifies the object itself
127 +sub validateCGIParameters {
128 + my $queryref = shift;
129 +
130 + ## validate input data
131 + ## 2004-08-27 Martin Bartosch <m.bartosch@cynops.de>
132 + foreach my $param (keys %{$$queryref->Vars}) {
133 + my @values = $$queryref->param($param);
134 +
135 + # replace < and > with < and &rt; for all CGI parameters passed
136 + # NOTE/FIXME: unescaping might be necessary when actually
137 + # passing this data to e. g. certificate generation routines
138 + # to prevent literal XML entities in certificate contents
139 + map {
140 + s/</</gm;
141 + s/>/>/gm;
142 + } @values;
143 + $$queryref->param(-name => $param, -value => [ @values ]);
144 +
145 + # extra sanity check just to be sure (redundant)
146 + foreach (@values) {
147 + if (/<\S+.*?>/m) {
148 + print "Content-type: text/html\n\n";
149 + print "Security violation\n";
150 + exit 101;
151 + }
152 + }
153 + }
154 + return $queryref;
155 +}
156 +
157 +
158 1;
163 ###########################################################################
164 ## Patches against version 0.9.1-8
165 ###########################################################################
168 Index: src/common/lib/functions/misc-utils.lib
169 ===================================================================
170 RCS file: /cvsroot/openca/openca-0.9/src/common/lib/functions/misc-utils.lib,v
171 retrieving revision 1.16.2.2
172 diff -u -r1.16.2.2 misc-utils.lib
173 --- src/common/lib/functions/misc-utils.lib 16 Apr 2003 13:24:51 -0000 1.16.2.2
174 +++ src/common/lib/functions/misc-utils.lib 1 Sep 2004 11:49:14 -0000
175 @@ -445,4 +445,38 @@
177 }
179 +# 2004-08-31 Martin Bartosch <m.bartosch@cynops.de>
180 +# clean up CGI parameters
181 +# input: reference to CGI class instance
182 +# This function modifies the object itself
183 +sub validateCGIParameters {
184 + my $queryref = shift;
185 +
186 + ## validate input data
187 + ## 2004-08-27 Martin Bartosch <m.bartosch@cynops.de>
188 + foreach my $param (keys %{$$queryref->Vars}) {
189 + my @values = $$queryref->param($param);
190 +
191 + # replace < and > with < and &rt; for all CGI parameters passed
192 + # NOTE/FIXME: unescaping might be necessary when actually
193 + # passing this data to e. g. certificate generation routines
194 + # to prevent literal XML entities in certificate contents
195 + map {
196 + s/</</gm;
197 + s/>/>/gm;
198 + } @values;
199 + $$queryref->param(-name => $param, -value => [ @values ]);
200 +
201 + # extra sanity check just to be sure (redundant)
202 + foreach (@values) {
203 + if (/<\S+.*?>/m) {
204 + print "Content-type: text/html\n\n";
205 + print "Security violation\n";
206 + exit 101;
207 + }
208 + }
209 + }
210 + return $queryref;
211 +}
212 +
213 1;
214 Index: src/web-interfaces/ca/ca.in
215 ===================================================================
216 RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ca/ca.in,v
217 retrieving revision 1.8.2.1
218 diff -u -r1.8.2.1 ca.in
219 --- src/web-interfaces/ca/ca.in 10 Nov 2003 13:10:48 -0000 1.8.2.1
220 +++ src/web-interfaces/ca/ca.in 1 Sep 2004 11:49:16 -0000
221 @@ -132,6 +132,9 @@
222 ##// Now it's time to get the parameters passed over the web
223 $query = new OpenCA::TRIStateCGI;
225 +## validate input parameters
226 +validateCGIParameters(\$query);
227 +
228 ## Generate a new reference to Configuration ( instance )
229 $dbconfig = new OpenCA::Configuration;
230 $dbiconfig = new OpenCA::Configuration;
231 Index: src/web-interfaces/ldap/ldap.in
232 ===================================================================
233 RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ldap/ldap.in,v
234 retrieving revision 1.7.2.1
235 diff -u -r1.7.2.1 ldap.in
236 --- src/web-interfaces/ldap/ldap.in 10 Nov 2003 13:10:48 -0000 1.7.2.1
237 +++ src/web-interfaces/ldap/ldap.in 1 Sep 2004 11:49:16 -0000
238 @@ -138,6 +138,9 @@
239 ##// Now it's time to get the parameters passed over the web
240 $query = new OpenCA::TRIStateCGI;
242 +## validate input parameters
243 +validateCGIParameters(\$query);
244 +
245 ## Generate a new reference to Configuration ( instance )
246 $dbconfig = new OpenCA::Configuration;
247 $dbiconfig = new OpenCA::Configuration;
248 Index: src/web-interfaces/node/node.in
249 ===================================================================
250 RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/node/node.in,v
251 retrieving revision 1.2.2.1
252 diff -u -r1.2.2.1 node.in
253 --- src/web-interfaces/node/node.in 10 Nov 2003 13:10:48 -0000 1.2.2.1
254 +++ src/web-interfaces/node/node.in 1 Sep 2004 11:49:17 -0000
255 @@ -139,6 +139,9 @@
256 ##// Now it's time to get the parameters passed over the web
257 $query = new OpenCA::TRIStateCGI;
259 +## validate input parameters
260 +validateCGIParameters(\$query);
261 +
262 ## Generate a new reference to Configuration ( instance )
263 $dbconfig = new OpenCA::Configuration;
264 $dbiconfig = new OpenCA::Configuration;
265 Index: src/web-interfaces/pub/pki.in
266 ===================================================================
267 RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/pub/pki.in,v
268 retrieving revision 1.7.2.1
269 diff -u -r1.7.2.1 pki.in
270 --- src/web-interfaces/pub/pki.in 10 Nov 2003 13:10:48 -0000 1.7.2.1
271 +++ src/web-interfaces/pub/pki.in 1 Sep 2004 11:49:17 -0000
272 @@ -136,6 +136,9 @@
273 ##// Now it's time to get the parameters passed over the web
274 $query = new OpenCA::TRIStateCGI;
276 +## validate input parameters
277 +validateCGIParameters(\$query);
278 +
279 ## Generate a new reference to Configuration ( instance )
280 $dbconfig = new OpenCA::Configuration;
281 $dbiconfig = new OpenCA::Configuration;
282 Index: src/web-interfaces/pub/scepd.in
283 ===================================================================
284 RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/pub/Attic/scepd.in,v
285 retrieving revision 1.2.2.1
286 diff -u -r1.2.2.1 scepd.in
287 --- src/web-interfaces/pub/scepd.in 10 Nov 2003 13:10:48 -0000 1.2.2.1
288 +++ src/web-interfaces/pub/scepd.in 1 Sep 2004 11:49:17 -0000
289 @@ -121,6 +121,9 @@
290 ##// Now it's time to get the parameters passed over the web
291 $query = new OpenCA::TRIStateCGI;
293 +## validate input parameters
294 +validateCGIParameters(\$query);
295 +
296 ## Generate a new reference to Configuration ( instance )
297 $dbconfig = new OpenCA::Configuration;
298 $dbiconfig = new OpenCA::Configuration;
299 Index: src/web-interfaces/ra/RAServer.in
300 ===================================================================
301 RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ra/RAServer.in,v
302 retrieving revision 1.8.2.1
303 diff -u -r1.8.2.1 RAServer.in
304 --- src/web-interfaces/ra/RAServer.in 10 Nov 2003 13:10:49 -0000 1.8.2.1
305 +++ src/web-interfaces/ra/RAServer.in 1 Sep 2004 11:49:18 -0000
306 @@ -138,6 +138,9 @@
307 ##// Now it's time to get the parameters passed over the web
308 $query = new OpenCA::TRIStateCGI;
310 +## validate input parameters
311 +validateCGIParameters(\$query);
312 +
313 ## Generate a new reference to Configuration ( instance )
314 $dbconfig = new OpenCA::Configuration;
315 $dbiconfig = new OpenCA::Configuration;