OpenCA HTML注入漏洞-一一网

漏洞信息详情

OpenCA HTML注入漏洞

CNNVD编号：CNNVD-200410-039

危害等级：中危
CVE编号：
CVE-2004-0787
漏洞类型：

跨站脚本
发布时间：

2004-10-20
威胁类型：

远程
更新时间：

2005-10-20
厂商：

openca
漏洞来源：
Announced by Marti…

漏洞简介

OpenCA 0.9.1-8版本和之前版本，以及0.9.2 RC6版本和之前版本中的网络前端存在跨站脚本（XXS）漏洞。远程攻击者借助表格输入字段来注入任意web脚本或者HTML。

漏洞公告

Security Patches
###########################################################################
## Patches against version 0.9.2
###########################################################################
Index: src/common/lib/functions/initServer
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/common/lib/functions/initServer,v
retrieving revision 1.40
diff -u -r1.40 initServer
— src/common/lib/functions/initServer 30 Aug 2004 12:31:53 -0000 1.40
+++ src/common/lib/functions/initServer 1 Sep 2004 13:27:27 -0000
@@ -184,6 +184,10 @@
$query->set_gettext (\&i18nGettext);
close ($fh);
+ ## validate input data
+ ## 2004-08-27 Martin Bartosch
+ validateCGIParameters(\$query);
+
## reinit configuration
my $CONFIG = $AUTOCONF {“etc_prefix”}.’/servers/’.$AUTOCONF
{“config_prefix”}.’.conf’;
if( not defined (my $ret = $config->loadCfg( “$CONFIG” )) ) {
Index: src/common/lib/functions/misc-utils.lib
===================================================================
RCS file:
/cvsroot/openca/openca-0.9/src/common/lib/functions/misc-utils.lib,v
retrieving revision 1.50
diff -u -r1.50 misc-utils.lib
— src/common/lib/functions/misc-utils.lib 26 Aug 2004 14:08:03 -0000 1.50
+++ src/common/lib/functions/misc-utils.lib 1 Sep 2004 13:27:27 -0000
@@ -443,4 +443,39 @@
debug ($cmd, @_);
}
+# 2004-08-31 Martin Bartosch
+# clean up CGI parameters
+# input: reference to CGI class instance
+# This function modifies the object itself
+sub validateCGIParameters {
+ my $queryref = shift;
+
+ ## validate input data
+ ## 2004-08-27 Martin Bartosch
+ foreach my $param (keys %{$$queryref->Vars}) {
+ my @values = $$queryref->param($param);
+
+ # replace < and > with < and &rt; for all CGI parameters passed
+ # NOTE/FIXME: unescaping might be necessary when actually
+ # passing this data to e. g. certificate generation routines
+ # to prevent literal XML entities in certificate contents
+ map {
+ s//>/gm;
+ } @values;
+ $$queryref->param(-name => $param, -value => @values);
+
+ # extra sanity check just to be sure (redundant)
+ foreach (@values) {
+ if (/<\S+.*?>/m) {
+ print “Content-type: text/html\n\n”;
+ print “Security violation\n”;
+ exit 101;
+ }
+ }
+ }
+ return $queryref;
+}
+
+
1;
###########################################################################
## Patches against version 0.9.1-8
###########################################################################
Index: src/common/lib/functions/misc-utils.lib
===================================================================
RCS file:
/cvsroot/openca/openca-0.9/src/common/lib/functions/misc-utils.lib,v
retrieving revision 1.16.2.2
diff -u -r1.16.2.2 misc-utils.lib
— src/common/lib/functions/misc-utils.lib 16 Apr 2003 13:24:51
-0000 1.16.2.2
+++ src/common/lib/functions/misc-utils.lib 1 Sep 2004 11:49:14 -0000
@@ -445,4 +445,38 @@
}
+# 2004-08-31 Martin Bartosch
+# clean up CGI parameters
+# input: reference to CGI class instance
+# This function modifies the object itself
+sub validateCGIParameters {
+ my $queryref = shift;
+
+ ## validate input data
+ ## 2004-08-27 Martin Bartosch
+ foreach my $param (keys %{$$queryref->Vars}) {
+ my @values = $$queryref->param($param);
+
+ # replace < and > with < and &rt; for all CGI parameters passed
+ # NOTE/FIXME: unescaping might be necessary when actually
+ # passing this data to e. g. certificate generation routines
+ # to prevent literal XML entities in certificate contents
+ map {
+ s//>/gm;
+ } @values;
+ $$queryref->param(-name => $param, -value => @values);
+
+ # extra sanity check just to be sure (redundant)
+ foreach (@values) {
+ if (/<\S+.*?>/m) {
+ print “Content-type: text/html\n\n”;
+ print “Security violation\n”;
+ exit 101;
+ }
+ }
+ }
+ return $queryref;
+}
+
1;
Index: src/web-interfaces/ca/ca.in
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ca/ca.in,v
retrieving revision 1.8.2.1
diff -u -r1.8.2.1 ca.in
— src/web-interfaces/ca/ca.in 10 Nov 2003 13:10:48 -0000 1.8.2.1
+++ src/web-interfaces/ca/ca.in 1 Sep 2004 11:49:16 -0000
@@ -132,6 +132,9 @@
##// Now it’s time to get the parameters passed over the web
$query = new OpenCA::TRIStateCGI;
+## validate input parameters
+validateCGIParameters(\$query);
+
## Generate a new reference to Configuration ( instance )
$dbconfig = new OpenCA::Configuration;
$dbiconfig = new OpenCA::Configuration;
Index: src/web-interfaces/ldap/ldap.in
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ldap/ldap.in,v
retrieving revision 1.7.2.1
diff -u -r1.7.2.1 ldap.in
— src/web-interfaces/ldap/ldap.in 10 Nov 2003 13:10:48 -0000 1.7.2.1
+++ src/web-interfaces/ldap/ldap.in 1 Sep 2004 11:49:16 -0000
@@ -138,6 +138,9 @@
##// Now it’s time to get the parameters passed over the web
$query = new OpenCA::TRIStateCGI;
+## validate input parameters
+validateCGIParameters(\$query);
+
## Generate a new reference to Configuration ( instance )
$dbconfig = new OpenCA::Configuration;
$dbiconfig = new OpenCA::Configuration;
Index: src/web-interfaces/node/node.in
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/node/node.in,v
retrieving revision 1.2.2.1
diff -u -r1.2.2.1 node.in
— src/web-interfaces/node/node.in 10 Nov 2003 13:10:48 -0000 1.2.2.1
+++ src/web-interfaces/node/node.in 1 Sep 2004 11:49:17 -0000
@@ -139,6 +139,9 @@
##// Now it’s time to get the parameters passed over the web
$query = new OpenCA::TRIStateCGI;
+## validate input parameters
+validateCGIParameters(\$query);
+
## Generate a new reference to Configuration ( instance )
$dbconfig = new OpenCA::Configuration;
$dbiconfig = new OpenCA::Configuration;
Index: src/web-interfaces/pub/pki.in
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/pub/pki.in,v
retrieving revision 1.7.2.1
diff -u -r1.7.2.1 pki.in
— src/web-interfaces/pub/pki.in 10 Nov 2003 13:10:48 -0000 1.7.2.1
+++ src/web-interfaces/pub/pki.in 1 Sep 2004 11:49:17 -0000
@@ -136,6 +136,9 @@
##// Now it’s time to get the parameters passed over the web
$query = new OpenCA::TRIStateCGI;
+## validate input parameters
+validateCGIParameters(\$query);
+
## Generate a new reference to Configuration ( instance )
$dbconfig = new OpenCA::Configuration;
$dbiconfig = new OpenCA::Configuration;
Index: src/web-interfaces/pub/scepd.in
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/pub/Attic/scepd.in,v
retrieving revision 1.2.2.1
diff -u -r1.2.2.1 scepd.in
— src/web-interfaces/pub/scepd.in 10 Nov 2003 13:10:48 -0000 1.2.2.1
+++ src/web-interfaces/pub/scepd.in 1 Sep 2004 11:49:17 -0000
@@ -121,6 +121,9 @@
##// Now it’s time to get the parameters passed over the web
$query = new OpenCA::TRIStateCGI;
+## validate input parameters
+validateCGIParameters(\$query);
+
## Generate a new reference to Configuration ( instance )
$dbconfig = new OpenCA::Configuration;
$dbiconfig = new OpenCA::Configuration;
Index: src/web-interfaces/ra/RAServer.in
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ra/RAServer.in,v
retrieving revision 1.8.2.1
diff -u -r1.8.2.1 RAServer.in
— src/web-interfaces/ra/RAServer.in 10 Nov 2003 13:10:49 -0000 1.8.2.1
+++ src/web-interfaces/ra/RAServer.in 1 Sep 2004 11:4
@cynops.de>@cynops.de>@cynops.de>@cynops.de>@cynops.de>

参考网址

来源: XF
名称: openca-frontend-xss(17274)
链接:http://xforce.iss.net/xforce/xfdb/17274

来源: BID
名称: 11113
链接:http://www.securityfocus.com/bid/11113

来源: www.openca.org
链接:http://www.openca.org/news/CAN-2004-0787.txt

来源: BUGTRAQ
名称: 20040906 OpenCA Security Advisory: Cross Site Scripting vulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=109448767123954&w=2