[SSL Observatory] Interesting fun with Verisign and X.509 by Kaminsky, Patterson, Sassaman
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu May 5 00:27:37 PDT 2011
Chris Palmer <chris at eff.org> writes:
>https://www.cosic.esat.kuleuven.be/publications/article-1432.pdf
For people seeing this for the first time, it's an older paper (I've got it
catalogued as "to appear" so I don't know the exact date for it, but it's been
around for at least a year).
>We also draw particular attention to two possibly unrecognized vectors for
>implementation flaws that have been problematic in the past: the ASN.1 BER
>decoder required to parse PKCS#10, and the potential for SQL injection from
>text contained within its requests.
They have been recognised, at least by some :-). Here's the DN for one of my
code's test certs:
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, TEXT( "NZ" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, TEXT( "x'); DROP TABLE certificates; --" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, TEXT( "x' OR 1=1; DROP TABLE certificates; --" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, TEXT( "x'; DROP TABLE certificates; --" ) },
I took out a CA some years ago with that :-).
Peter.
More information about the Observatory
mailing list