CAcert certificate issuance with unverified arbitratry email addresses
The CAcert issuance of certificates had a vulnerability that permitted an attacker to add arbitrary email addresses without verification.
Issuance of certificates is by means of login to a webpage by Members. After authenticating the Member, she is offered a choice of certificates, with a choice of pre-verified email addresses.
In the POST response to that choice, there is insufficient checking on the paramaters supplied, and it is possible to add multiple additional email addresses that are not pre-verified.
The specific failure is use of register_globals and insufficient paramater testing.
A Member may add email addresses from a limited range of TLDs (Japan only has been verified).
The paramater checking has been fixed. Register_globals is now turned off in the test system to explore side effects. Operational software will follow
Only Japan TLD addresses may have been affected. There is no indication that any prior issued certificates with Japan TLD email addresses are other than valid.
This is a Member-reliance issue only. Any disputes will be filed in CAcert’s internal Arbitration forum.
CAcert credits Kriss Andsten for reporting this issue.
CAcert, Teus Hagen