http://www.cacert.org/analyse.php POST[csr] XSS
This is part of a code audit on cacert sources. Francesco 'ascii' Ongaro - www.ush.it
HTML POC
 >>> POST XSS and external source load POC <<<
I'm a gateway page, as used in post xss attacks.

 Click send to trigger the event.
 

Fast check
curl -ki "http://www.cacert.org/analyse.php" -d "csr=TETE" | egrep "TE.*TE"

Date: Sun, 07 Jan 2007 04:07:03 GMT
Server: Apache/1.3.33 (Debian GNU/Linux) mod_gzip/1.3.26.1a PHP/4.4.2-1.1 mod_ssl/2.8.25 OpenSSL/0.9.8a
X-Powered-By: PHP/4.4.2-1.1
Set-Cookie: cacert=f77b7b7d9434e696ba8875bdc490d164; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Vulnerable code
./www/analyse.php
        if($_POST['csr'] == "")
                echo $_POST['csr'];
Summary
- POST XSS
- magic quotes gpc ON
- Unaffected by user role (guest/logged in)
- PHP error: Warning: openssl_x509_read(): supplied parameter cannot be 
  coerced into an X509 certificate! in /www/www/analyse.php on line 29
- Path disclosure