{"vuid":"VU#264385","idnumber":"264385","name":"OpenCA allows Cross site request forgery (XSRF)","keywords":["OpenCA","cross-site request forgery","xsrf","csrf","Certification Authority"],"overview":"OpenCA contains a cross site request forgery (XSRF) vulnerability that may allow an attacker to leverage an administrator's creditials to exectue activities on the Certification Authority.","clean_desc":"The OpenCA PKI Development Project\t is an open source out-of-the-box Certification Authority (CA). OpenCA includes various web forms for executing requests and other activities on the CA such as digital certificate issuance. A cross site request forgery (XSRF) vulnerability exists in the way OpenCA processes requests executed via various forms. By manipulating an administrator who is authenticated to the CA via a session cookie to follow a tag that contains CA commands, an attacker may be able to successfully execute the commands on the CA.","impact":"An authenticated user can be manipulated into executing activities on the CA - such as digital certificate issuance - without knowledge or consent.","resolution":"This vulnerability has been addressed in Security Advisory AKLINK-SA-2008-001.","workarounds":"","sysaffected":"","thanks":"This vulnerability was reported by Alexander Klink of \nCynops GmbH","author":"This document was written by Joseph W. Pruszynski.","public":["https://www.cynops.de/advisories/CVE-2008-0556.txt","http://secunia.com/advisories/28951/","http://www.owasp.org/index.php/XSRF"],"cveids":["CVE-2008-0556"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2008-02-15T15:35:19Z","publicdate":"2008-02-13T00:00:00Z","datefirstpublished":"2008-02-22T21:41:00Z","dateupdated":"2008-02-25T15:33:27Z","revision":16,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"3","cam_widelyknown":"8","cam_exploitation":"6","cam_internetinfrastructure":"2","cam_population":"3","cam_impact":"12","cam_easeofexploitation":"13","cam_attackeraccessrequired":"17","cam_scorecurrent":"2.3868","cam_scorecurrentwidelyknown":"4.1769","cam_scorecurrentwidelyknownexploited":"6.26535","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":2.3868,"vulnote":null}