https://bugs.koozali.org/show_bug.cgi?id=12272
Bug ID: 12272
Summary: smeserver-phpki-ng allow remote access for crl
Classification: Contribs
Product: SME Contribs
Version: 10.0
Hardware: ---
OS: ---
Status: CONFIRMED
Severity: normal
Priority: P3
Component: phpki-ng
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected],
[email protected], [email protected]
Depends on: 11439
Target Milestone: ---
Created attachment 6791
--> https://bugs.koozali.org/attachment.cgi?id=6791&action=edit
/opt/phpki/html/dl_crl.php
+++ This bug was initially created as a clone of Bug #11439 +++
We really ought to at least set the Certificate Authority Base URL to the IP
address of the server in phpki-ng and consider whether we allow some form of
remote access to the Revocation lists for the likes of OpenVPN.
These are current settings.
It would need some code to autopopulate the base UR in phpki-ng and then
something in the http proxy in smeserver-phpki-ng
Certificate Authority Base URL
Enter the public Web address where your Certificate Authority will reside. The
address should end with a trailing slash (/) character. This address will be
embeded in all certficates issued by your CA, for informational purposes.
http://www.somewhere.com/phpki/
Certificate Authority CRL Distribution Points
Provide the public URL where Certificate Revocation List (CRL) of your CA will
reside. This path is relative to Base URL above. You may leave it by default if
your clients have direct access to PHPki.
index.php?stage=dl_crl
Certificate Authority Revocation Check URL
Provide the public URL where clients of your CA can check if the requested
certificate has been revoked. This path is relative to Base URL above. You may
leave it by default if your clients have direct access to PHPki.
ns_revoke_query.php?
the following file, with correct changes to httpd will allow safe distribution
of crl outside of lan.
script does not accept any parameter
for the ns_revoke_query.php? it is already dedicated to one usage.
I would however improve this
$serial = escapeshellcmd(trim($_SERVER['QUERY_STRING']));
https://www.php.net/manual/en/function.escapeshellcmd.php
https://stackoverflow.com/questions/1881582/whats-the-difference-between-escapeshellarg-and-escapeshellcmd
we know our seriel should be a short string of number, we should regex that
Referenced Bugs:
https://bugs.koozali.org/show_bug.cgi?id=11439
[Bug 11439] smeserver-phpki-ng allow remote access for crl
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are on the CC list for the bug.
You are the assignee for the bug._______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/
