* Case Number: a20110413.1 * Status: Closed * Claimants: MarcusMängel * Respondents: CAcert * Case Manager: MartinGummi * Arbitrator: UlrichSchroeter * Date of arbitration start: 2011-04-13 * Date of ruling: 2011-04-13 * Case closed: 2011-04-14 * Complaint: Adhoc SQL query * Relief: TBD Before: Arbitrator UlrichSchroeter (A), Respondent: CAcert (R), Claimant: MarcusMängel (C), Case: a20110413.1 == History Log == . 2011-04-13 (issue.c.o) case [s20110412.140] . 2011-04-13 (A): added to wiki, request for CM / A . 2011-04-13 (A): I'll take care about this case as (A) . 2011-04-13 (CM): I'll take care about this case as (CM) . 2011-04-13 (A): sending initmailing to (C) with CCA/DRP acceptance request . 2011-04-13 (C): accepts CCA/DRP under this arbitration . 2011-04-13 (A): contacting SAs for review of sql query deployed by (SA1) . 2011-04-13 (SA2): confirmation by 2nd (SA) == Original Dispute, Discovery (Private Part) == * Link to Arbitration case [[Arbitrations/priv/a20110413.1|a20110413.1 (Private Part)]] <> ==== EOT Private Part ==== == Ruling == * This case is based on [[https://bugs.cacert.org/view.php?id=637|bug #637]] * Software-Assessment Project Team at [[Software/Assessment/20110412-S-A-MiniTOP|meeting 2011-04-12]] decided to first check the count of effected accounts * proposed sql query regarding an allready known password discovers only the account of users who used an allready known weak password that is allready published on the main website * no further infos will be discovered with the result set * logical security checks are not yet well covered by the SP - eg weak passwords used. It does not fall in the Critical team role, nor the Support-Engineer role, nor the Software-Assessors role. * Members identified a potential logical security hole, but no team is responsible by SP definitions. * Regular review over system settings is subject to another running arbitration case [[Arbitrations/a20110221.1|a20110221.1]] but this case covers only flag settings. A recuring logical system check over the database content (eg used weak passwords) is not yet defined. * In order to handle the reported bug# and to move forward with this case, I hereby order (Critical Team) to execute the proposed SQL query that was checked and confirmed by 2 Software-Assessors. * The result set to be send to the Arbitrator/Case Manager and the nominated known Software-Assessors, to be presented within the next Software-Assessment project team meeting, but not published on any website nor within any minutes before a fix has been applied under [[https://bugs.cacert.org/view.php?id=637|bug #637]] onto the critical system. * The potental allowed recipients group includes: Crticical team, Software-Assessors, Software-Assessment project team, Support-Engineers, Board members, Arbitrators * A disclosure of the result set outside the defined group of recipients and before a fix is implemented onto the critical system is forbidden under fine of 150 Euro Frankfurt/Main, 2011-04-13 == Execution == * 2011-04-13 (A): sending ruling and exec order to (Critical Team), (C) * 2011-04-13 (Critical Admin): exec report to (C), (CM), (A) * 2011-04-13 (A): following the ruling, forwarding exec report to nominated (SA)'s, (CM) with warning on closed groups distribution and proposed fine. * 2011-04-13 (A): Exec report to (C). Case closed. == Similiar Cases == || [[Arbitrations/a20090427.2|a20090427.2]] || [[Arbitrations/a20090427.2|Adhoc SQL query requested]] || || [[Arbitrations/a20090810.4|a20090810.4]] || [[Arbitrations/a20090810.4|Emergency access to CAcert critical systems]] || || [[Arbitrations/a20090810.1|a20090810.1]] || [[Arbitrations/a20090810.1|Emergency code change without dual control]] || || [[Arbitrations/a20100822.1|a20100822.1]] || [[Arbitrations/a20100822.1|SQL query]] || || [[Arbitrations/a20101114.1|a20101114.1]] || [[Arbitrations/a20101114.1|Addtl. adhoc interactive sql-query]] || ---- . CategoryArbitration . CategoryArbCaseSystemTasks