Vulnerability Note, 14th of August 2008

CAcert certificate issuance with unverified arbitratry email addresses

The CAcert issuance of certificates had a vulnerability that permitted an attacker to add arbitrary email addresses without verification.

I Description

Issuance of certificates is by means of login to a webpage by Members. After authenticating the Member, she is offered a choice of certificates, with a choice of pre-verified email addresses.
In the POST response to that choice, there is insufficient checking on the paramaters supplied, and it is possible to add multiple additional email addresses that are not pre-verified.

The specific failure is use of register_globals and insufficient paramater testing.

II. Impact
A Member may add email addresses from a limited range of TLDs (Japan only has been verified).

III. Solution
The paramater checking has been fixed. Register_globals is now turned off in the test system to explore side effects. Operational software will follow

Systems Affected
Only Japan TLD addresses may have been affected. There is no indication that any prior issued certificates with Japan TLD email addresses are other than valid.

This is a Member-reliance issue only. Any disputes will be filed in CAcert’s internal Arbitration forum.

Vendor Status Date Updated
CAcert Fixed 14th of August 2008


bug report
Kriss his blog

CAcert credits Kriss Andsten for reporting this issue.

CAcert, Teus Hagen

Leave a Reply