CVE-2004-0787
CVSS4.3
发布时间 :2004-10-20 00:00:00
修订时间 :2016-10-17 22:48:59
NMCOS    

[原文]Cross-site scripting (XSS) vulnerability in the web frontend in OpenCA 0.9.1-8 and earlier, and 0.9.2 RC6 and earlier, allows remote attackers to inject arbitrary web script or HTML via the form input fields.


[CNNVD]OpenCA HTML注入漏洞(CNNVD-200410-039)

        OpenCA 0.9.1-8版本和之前版本,以及0.9.2 RC6版本和之前版本中的网络前端存在跨站脚本(XXS)漏洞。远程攻击者借助表格输入字段来注入任意web脚本或者HTML。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:openca:openca:0.9.1.5
cpe:/a:openca:openca:0.9.1.4
cpe:/a:openca:openca:0.9.1.7
cpe:/a:openca:openca:0.9.1.6
cpe:/a:openca:openca:0.9.1.8
cpe:/a:openca:openca:0.9.0.2
cpe:/a:openca:openca:0.9.0.1
cpe:/a:openca:openca:0.9.1.3
cpe:/a:openca:openca:0.9.1.2
cpe:/a:openca:openca:0.8.1
cpe:/a:openca:openca:0.9.0
cpe:/a:openca:openca:0.8.0
cpe:/a:openca:openca:0.9.1
cpe:/a:openca:openca:0.8.6
cpe:/a:openca:openca:0.9.2_rc6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0787
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0787
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-039
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109448767123954&w=2
(UNKNOWN)  BUGTRAQ  20040906 OpenCA Security Advisory: Cross Site Scripting vulnerability
http://www.openca.org/news/CAN-2004-0787.txt
(VENDOR_ADVISORY)  CONFIRM  http://www.openca.org/news/CAN-2004-0787.txt
http://www.securityfocus.com/bid/11113
(VENDOR_ADVISORY)  BID  11113
http://xforce.iss.net/xforce/xfdb/17274
(VENDOR_ADVISORY)  XF  openca-frontend-xss(17274)

- 漏洞信息

OpenCA HTML注入漏洞
中危 跨站脚本
2004-10-20 00:00:00 2005-10-20 00:00:00
远程  
        OpenCA 0.9.1-8版本和之前版本,以及0.9.2 RC6版本和之前版本中的网络前端存在跨站脚本(XXS)漏洞。远程攻击者借助表格输入字段来注入任意web脚本或者HTML。

- 公告与补丁

        
        Security Patches
        ###########################################################################
        ## Patches against version 0.9.2
        ###########################################################################
        Index: src/common/lib/functions/initServer
        ===================================================================
        RCS file: /cvsroot/openca/openca-0.9/src/common/lib/functions/initServer,v
        retrieving revision 1.40
        diff -u -r1.40 initServer
        --- src/common/lib/functions/initServer 30 Aug 2004 12:31:53 -0000 1.40
        +++ src/common/lib/functions/initServer 1 Sep 2004 13:27:27 -0000
        @@ -184,6 +184,10 @@
         $query->set_gettext (\&i18nGettext);
         close ($fh);
        + ## validate input data
        + ## 2004-08-27 Martin Bartosch
        + validateCGIParameters(\$query);
        +
         ## reinit configuration
         my $CONFIG = $AUTOCONF {"etc_prefix"}.'/servers/'.$AUTOCONF
        {"config_prefix"}.'.conf';
         if( not defined (my $ret = $config->loadCfg( "$CONFIG" )) ) {
        Index: src/common/lib/functions/misc-utils.lib
        ===================================================================
        RCS file:
        /cvsroot/openca/openca-0.9/src/common/lib/functions/misc-utils.lib,v
        retrieving revision 1.50
        diff -u -r1.50 misc-utils.lib
        --- src/common/lib/functions/misc-utils.lib 26 Aug 2004 14:08:03 -0000 1.50
        +++ src/common/lib/functions/misc-utils.lib 1 Sep 2004 13:27:27 -0000
        @@ -443,4 +443,39 @@
         debug ($cmd, @_);
         }
        +# 2004-08-31 Martin Bartosch
        +# clean up CGI parameters
        +# input: reference to CGI class instance
        +# This function modifies the object itself
        +sub validateCGIParameters {
        + my $queryref = shift;
        +
        + ## validate input data
        + ## 2004-08-27 Martin Bartosch
        + foreach my $param (keys %{$$queryref->Vars}) {
        + my @values = $$queryref->param($param);
        +
        + # replace < and > with < and &rt; for all CGI parameters passed
        + # NOTE/FIXME: unescaping might be necessary when actually
        + # passing this data to e. g. certificate generation routines
        + # to prevent literal XML entities in certificate contents
        + map {
        + s/        + s/>/>/gm;
        + } @values;
        + $$queryref->param(-name => $param, -value => @values);
        +
        + # extra sanity check just to be sure (redundant)
        + foreach (@values) {
        + if (/<\S+.*?>/m) {
        + print "Content-type: text/html\n\n";
        + print "Security violation\n";
        + exit 101;
        + }
        + }
        + }
        + return $queryref;
        +}
        +
        +
         1;
        ###########################################################################
        ## Patches against version 0.9.1-8
        ###########################################################################
        Index: src/common/lib/functions/misc-utils.lib
        ===================================================================
        RCS file:
        /cvsroot/openca/openca-0.9/src/common/lib/functions/misc-utils.lib,v
        retrieving revision 1.16.2.2
        diff -u -r1.16.2.2 misc-utils.lib
        --- src/common/lib/functions/misc-utils.lib 16 Apr 2003 13:24:51
        -0000 1.16.2.2
        +++ src/common/lib/functions/misc-utils.lib 1 Sep 2004 11:49:14 -0000
        @@ -445,4 +445,38 @@
        }
        +# 2004-08-31 Martin Bartosch
        +# clean up CGI parameters
        +# input: reference to CGI class instance
        +# This function modifies the object itself
        +sub validateCGIParameters {
        + my $queryref = shift;
        +
        + ## validate input data
        + ## 2004-08-27 Martin Bartosch
        + foreach my $param (keys %{$$queryref->Vars}) {
        + my @values = $$queryref->param($param);
        +
        + # replace < and > with < and &rt; for all CGI parameters passed
        + # NOTE/FIXME: unescaping might be necessary when actually
        + # passing this data to e. g. certificate generation routines
        + # to prevent literal XML entities in certificate contents
        + map {
        + s/        + s/>/>/gm;
        + } @values;
        + $$queryref->param(-name => $param, -value => @values);
        +
        + # extra sanity check just to be sure (redundant)
        + foreach (@values) {
        + if (/<\S+.*?>/m) {
        + print "Content-type: text/html\n\n";
        + print "Security violation\n";
        + exit 101;
        + }
        + }
        + }
        + return $queryref;
        +}
        +
         1;
        Index: src/web-interfaces/ca/ca.in
        ===================================================================
        RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ca/ca.in,v
        retrieving revision 1.8.2.1
        diff -u -r1.8.2.1 ca.in
        --- src/web-interfaces/ca/ca.in 10 Nov 2003 13:10:48 -0000 1.8.2.1
        +++ src/web-interfaces/ca/ca.in 1 Sep 2004 11:49:16 -0000
        @@ -132,6 +132,9 @@
         ##// Now it's time to get the parameters passed over the web
         $query = new OpenCA::TRIStateCGI;
        +## validate input parameters
        +validateCGIParameters(\$query);
        +
         ## Generate a new reference to Configuration ( instance )
         $dbconfig = new OpenCA::Configuration;
         $dbiconfig = new OpenCA::Configuration;
        Index: src/web-interfaces/ldap/ldap.in
        ===================================================================
        RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ldap/ldap.in,v
        retrieving revision 1.7.2.1
        diff -u -r1.7.2.1 ldap.in
        --- src/web-interfaces/ldap/ldap.in 10 Nov 2003 13:10:48 -0000 1.7.2.1
        +++ src/web-interfaces/ldap/ldap.in 1 Sep 2004 11:49:16 -0000
        @@ -138,6 +138,9 @@
         ##// Now it's time to get the parameters passed over the web
         $query = new OpenCA::TRIStateCGI;
        +## validate input parameters
        +validateCGIParameters(\$query);
        +
         ## Generate a new reference to Configuration ( instance )
         $dbconfig = new OpenCA::Configuration;
         $dbiconfig = new OpenCA::Configuration;
        Index: src/web-interfaces/node/node.in
        ===================================================================
        RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/node/node.in,v
        retrieving revision 1.2.2.1
        diff -u -r1.2.2.1 node.in
        --- src/web-interfaces/node/node.in 10 Nov 2003 13:10:48 -0000 1.2.2.1
        +++ src/web-interfaces/node/node.in 1 Sep 2004 11:49:17 -0000
        @@ -139,6 +139,9 @@
         ##// Now it's time to get the parameters passed over the web
         $query = new OpenCA::TRIStateCGI;
        +## validate input parameters
        +validateCGIParameters(\$query);
        +
         ## Generate a new reference to Configuration ( instance )
         $dbconfig = new OpenCA::Configuration;
         $dbiconfig = new OpenCA::Configuration;
        Index: src/web-interfaces/pub/pki.in
        ===================================================================
        RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/pub/pki.in,v
        retrieving revision 1.7.2.1
        diff -u -r1.7.2.1 pki.in
        --- src/web-interfaces/pub/pki.in 10 Nov 2003 13:10:48 -0000 1.7.2.1
        +++ src/web-interfaces/pub/pki.in 1 Sep 2004 11:49:17 -0000
        @@ -136,6 +136,9 @@
         ##// Now it's time to get the parameters passed over the web
         $query = new OpenCA::TRIStateCGI;
        +## validate input parameters
        +validateCGIParameters(\$query);
        +
         ## Generate a new reference to Configuration ( instance )
         $dbconfig = new OpenCA::Configuration;
         $dbiconfig = new OpenCA::Configuration;
        Index: src/web-interfaces/pub/scepd.in
        ===================================================================
        RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/pub/Attic/scepd.in,v
        retrieving revision 1.2.2.1
        diff -u -r1.2.2.1 scepd.in
        --- src/web-interfaces/pub/scepd.in 10 Nov 2003 13:10:48 -0000 1.2.2.1
        +++ src/web-interfaces/pub/scepd.in 1 Sep 2004 11:49:17 -0000
        @@ -121,6 +121,9 @@
         ##// Now it's time to get the parameters passed over the web
         $query = new OpenCA::TRIStateCGI;
        +## validate input parameters
        +validateCGIParameters(\$query);
        +
         ## Generate a new reference to Configuration ( instance )
         $dbconfig = new OpenCA::Configuration;
         $dbiconfig = new OpenCA::Configuration;
        Index: src/web-interfaces/ra/RAServer.in
        ===================================================================
        RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ra/RAServer.in,v
        retrieving revision 1.8.2.1
        diff -u -r1.8.2.1 RAServer.in
        --- src/web-interfaces/ra/RAServer.in 10 Nov 2003 13:10:49 -0000 1.8.2.1
        +++ src/web-interfaces/ra/RAServer.in 1 Sep 2004 11:4

- 漏洞信息

9749
OpenCA Client System Browser Form Input Field XSS
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

OpenCA contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input variables upon submission to the web frontends. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

- 时间线

2004-09-06 Unknow
Unknow Unknow

- 解决方案

Upgrade to 0.9.1-9 if using 0.9.1 and CVS head if using the current development branch 0.9.2, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

OpenCA HTML Injection Vulnerability
Input Validation Error 11113
Yes No
2004-09-06 12:00:00 2009-07-12 07:06:00
Announced by Martin Bartosch <mb-bugtraq@cynops.de> and Michael Bell <michael.bell@cms.hu-berlin.de>.

- 受影响的程序版本

OpenCA OpenCA 0.9.2 RC6
OpenCA OpenCA 0.9.1 -8
OpenCA OpenCA 0.9.1 -7
OpenCA OpenCA 0.9.1 -6
OpenCA OpenCA 0.9.1 -5
OpenCA OpenCA 0.9.1 -4
OpenCA OpenCA 0.9.1 -3
OpenCA OpenCA 0.9.1 -2
OpenCA OpenCA 0.9.1 -1
OpenCA OpenCA 0.9.1
OpenCA OpenCA 0.9 .0-2
OpenCA OpenCA 0.9 .0-1
OpenCA OpenCA 0.9 .0
OpenCA OpenCA 0.8.6
OpenCA OpenCA 0.8.1
OpenCA OpenCA 0.8 .0

- 漏洞讨论

It has been reported that OpenCA is vulnerable to a HTML injection attack due to inadequate validation / filtering of user input into a web form frontend. The vulnerability is present in the OpenCA PKI software. According to the report, malicious user-data containing embedded HTML will persist in the system after it is injected.

- 漏洞利用

There is no exploit code required.

- 解决方案


Security Patches

###########################################################################
## Patches against version 0.9.2
###########################################################################

Index: src/common/lib/functions/initServer
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/common/lib/functions/initServer,v
retrieving revision 1.40
diff -u -r1.40 initServer
--- src/common/lib/functions/initServer 30 Aug 2004 12:31:53 -0000 1.40
+++ src/common/lib/functions/initServer 1 Sep 2004 13:27:27 -0000
@@ -184,6 +184,10 @@
$query->set_gettext (\&i18nGettext);
close ($fh);

+ ## validate input data
+ ## 2004-08-27 Martin Bartosch <m.bartosch@cynops.de>
+ validateCGIParameters(\$query);
+
## reinit configuration
my $CONFIG = $AUTOCONF {"etc_prefix"}.'/servers/'.$AUTOCONF
{"config_prefix"}.'.conf';
if( not defined (my $ret = $config->loadCfg( "$CONFIG" )) ) {
Index: src/common/lib/functions/misc-utils.lib
===================================================================
RCS file:
/cvsroot/openca/openca-0.9/src/common/lib/functions/misc-utils.lib,v
retrieving revision 1.50
diff -u -r1.50 misc-utils.lib
--- src/common/lib/functions/misc-utils.lib 26 Aug 2004 14:08:03 -0000 1.50
+++ src/common/lib/functions/misc-utils.lib 1 Sep 2004 13:27:27 -0000
@@ -443,4 +443,39 @@
debug ($cmd, @_);
}

+# 2004-08-31 Martin Bartosch <m.bartosch@cynops.de>
+# clean up CGI parameters
+# input: reference to CGI class instance
+# This function modifies the object itself
+sub validateCGIParameters {
+ my $queryref = shift;
+
+ ## validate input data
+ ## 2004-08-27 Martin Bartosch <m.bartosch@cynops.de>
+ foreach my $param (keys %{$$queryref->Vars}) {
+ my @values = $$queryref->param($param);
+
+ # replace < and > with &lt; and &rt; for all CGI parameters passed
+ # NOTE/FIXME: unescaping might be necessary when actually
+ # passing this data to e. g. certificate generation routines
+ # to prevent literal XML entities in certificate contents
+ map {
+ s/</&lt;/gm;
+ s/>/&gt;/gm;
+ } @values;
+ $$queryref->param(-name => $param, -value => @values);
+
+ # extra sanity check just to be sure (redundant)
+ foreach (@values) {
+ if (/<\S+.*?>/m) {
+ print "Content-type: text/html\n\n";
+ print "Security violation\n";
+ exit 101;
+ }
+ }
+ }
+ return $queryref;
+}
+
+
1;

###########################################################################
## Patches against version 0.9.1-8
###########################################################################

Index: src/common/lib/functions/misc-utils.lib
===================================================================
RCS file:
/cvsroot/openca/openca-0.9/src/common/lib/functions/misc-utils.lib,v
retrieving revision 1.16.2.2
diff -u -r1.16.2.2 misc-utils.lib
--- src/common/lib/functions/misc-utils.lib 16 Apr 2003 13:24:51
-0000 1.16.2.2
+++ src/common/lib/functions/misc-utils.lib 1 Sep 2004 11:49:14 -0000
@@ -445,4 +445,38 @@

}

+# 2004-08-31 Martin Bartosch <m.bartosch@cynops.de>
+# clean up CGI parameters
+# input: reference to CGI class instance
+# This function modifies the object itself
+sub validateCGIParameters {
+ my $queryref = shift;
+
+ ## validate input data
+ ## 2004-08-27 Martin Bartosch <m.bartosch@cynops.de>
+ foreach my $param (keys %{$$queryref->Vars}) {
+ my @values = $$queryref->param($param);
+
+ # replace < and > with &lt; and &rt; for all CGI parameters passed
+ # NOTE/FIXME: unescaping might be necessary when actually
+ # passing this data to e. g. certificate generation routines
+ # to prevent literal XML entities in certificate contents
+ map {
+ s/</&lt;/gm;
+ s/>/&gt;/gm;
+ } @values;
+ $$queryref->param(-name => $param, -value => @values);
+
+ # extra sanity check just to be sure (redundant)
+ foreach (@values) {
+ if (/<\S+.*?>/m) {
+ print "Content-type: text/html\n\n";
+ print "Security violation\n";
+ exit 101;
+ }
+ }
+ }
+ return $queryref;
+}
+
1;
Index: src/web-interfaces/ca/ca.in
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ca/ca.in,v
retrieving revision 1.8.2.1
diff -u -r1.8.2.1 ca.in
--- src/web-interfaces/ca/ca.in 10 Nov 2003 13:10:48 -0000 1.8.2.1
+++ src/web-interfaces/ca/ca.in 1 Sep 2004 11:49:16 -0000
@@ -132,6 +132,9 @@
##// Now it's time to get the parameters passed over the web
$query = new OpenCA::TRIStateCGI;

+## validate input parameters
+validateCGIParameters(\$query);
+
## Generate a new reference to Configuration ( instance )
$dbconfig = new OpenCA::Configuration;
$dbiconfig = new OpenCA::Configuration;
Index: src/web-interfaces/ldap/ldap.in
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ldap/ldap.in,v
retrieving revision 1.7.2.1
diff -u -r1.7.2.1 ldap.in
--- src/web-interfaces/ldap/ldap.in 10 Nov 2003 13:10:48 -0000 1.7.2.1
+++ src/web-interfaces/ldap/ldap.in 1 Sep 2004 11:49:16 -0000
@@ -138,6 +138,9 @@
##// Now it's time to get the parameters passed over the web
$query = new OpenCA::TRIStateCGI;

+## validate input parameters
+validateCGIParameters(\$query);
+
## Generate a new reference to Configuration ( instance )
$dbconfig = new OpenCA::Configuration;
$dbiconfig = new OpenCA::Configuration;
Index: src/web-interfaces/node/node.in
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/node/node.in,v
retrieving revision 1.2.2.1
diff -u -r1.2.2.1 node.in
--- src/web-interfaces/node/node.in 10 Nov 2003 13:10:48 -0000 1.2.2.1
+++ src/web-interfaces/node/node.in 1 Sep 2004 11:49:17 -0000
@@ -139,6 +139,9 @@
##// Now it's time to get the parameters passed over the web
$query = new OpenCA::TRIStateCGI;

+## validate input parameters
+validateCGIParameters(\$query);
+
## Generate a new reference to Configuration ( instance )
$dbconfig = new OpenCA::Configuration;
$dbiconfig = new OpenCA::Configuration;
Index: src/web-interfaces/pub/pki.in
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/pub/pki.in,v
retrieving revision 1.7.2.1
diff -u -r1.7.2.1 pki.in
--- src/web-interfaces/pub/pki.in 10 Nov 2003 13:10:48 -0000 1.7.2.1
+++ src/web-interfaces/pub/pki.in 1 Sep 2004 11:49:17 -0000
@@ -136,6 +136,9 @@
##// Now it's time to get the parameters passed over the web
$query = new OpenCA::TRIStateCGI;

+## validate input parameters
+validateCGIParameters(\$query);
+
## Generate a new reference to Configuration ( instance )
$dbconfig = new OpenCA::Configuration;
$dbiconfig = new OpenCA::Configuration;
Index: src/web-interfaces/pub/scepd.in
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/pub/Attic/scepd.in,v
retrieving revision 1.2.2.1
diff -u -r1.2.2.1 scepd.in
--- src/web-interfaces/pub/scepd.in 10 Nov 2003 13:10:48 -0000 1.2.2.1
+++ src/web-interfaces/pub/scepd.in 1 Sep 2004 11:49:17 -0000
@@ -121,6 +121,9 @@
##// Now it's time to get the parameters passed over the web
$query = new OpenCA::TRIStateCGI;

+## validate input parameters
+validateCGIParameters(\$query);
+
## Generate a new reference to Configuration ( instance )
$dbconfig = new OpenCA::Configuration;
$dbiconfig = new OpenCA::Configuration;
Index: src/web-interfaces/ra/RAServer.in
===================================================================
RCS file: /cvsroot/openca/openca-0.9/src/web-interfaces/ra/RAServer.in,v
retrieving revision 1.8.2.1
diff -u -r1.8.2.1 RAServer.in
--- src/web-interfaces/ra/RAServer.in 10 Nov 2003 13:10:49 -0000 1.8.2.1
+++ src/web-interfaces/ra/RAServer.in 1 Sep 2004 11:49:18 -0000
@@ -138,6 +138,9 @@
##// Now it's time to get the parameters passed over the web
$query = new OpenCA::TRIStateCGI;

+## validate input parameters
+validateCGIParameters(\$query);
+
## Generate a new reference to Configuration ( instance )
$dbconfig = new OpenCA::Configuration;
$dbiconfig = new OpenCA::Configuration;

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站