Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Interspire Shopping Cart Authentication Flaw in 'class.auth.php' Lets Remote Users Gain Administrative Privileges
|
|
SecurityTracker Alert ID: 1021557 |
|
SecurityTracker URL: http://securitytracker.com/id/1021557
|
|
CVE Reference:
CVE-2009-0412
(Links to External Site)
|
Updated: Feb 9 2009
|
Original Entry Date: Jan 13 2009
|
Impact:
User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 4.0.1
|
Description:
A vulnerability was reported in Interspire Shopping Cart. A remote user can obtain administrative access on the target application.
A remote user can exploit a flaw in the ProcessLogin() function in 'class.auth.php' to cause the system to set an authentication cookie on the user's client that will allow the user to gain access to the administrative control panel without authenticating.
The vendor was notified on January 07, 2009.
Truong Van Tri and Blue Moon Consulting reported this vulnerability.
|
Impact:
A remote user can gain administrative privileges on the target application.
|
Solution:
The vendor has issued a fix (4.0.2).
|
Vendor URL: www.interspire.com/shoppingcart/ (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 12 Jan 2009 21:57:42 +0700
Subject: [BMSA-2009-01] Authentication bypass in Interspire Shopping Cart
|
--Signature=_Mon__12_Jan_2009_21_57_42_+0700_G9EH.7Zhk2hyzpta
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
BLUE MOON SECURITY ADVISORY 2009-01
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
:Title: Authentication bypass in Interspire Shopping Cart
:Severity: Critical
:Reporter: Truong Van Tri and Blue Moon Consulting
:Products: Interspire Shopping Cart v4.0.1 Ultimate edition
:Fixed in: v4.0.2
Description
-----------
Interspire Shopping Cart (ISC) is ecommerce software that includes everythi=
ng you need to start, run, promote and profit from your online store. It co=
mbines easy-to-customize store designs with marketing tools proven to signi=
ficantly increase your sales.
In v4.0.1, ISC suffers from an authentication bypass problem. This allows a=
nyone to login to ISC's control panel without knowing the administrator's p=
assword.
The problem is with ``class.auth.php``'s ``ProcessLogin`` function. This fu=
nction sets a HTTPOnly cookie flag ``RememberToken`` too early in the proce=
ss, even before the user is authenticated. A malicious user could force ``P=
rocessLogin`` to set this cookie by ticking on ``Remember me`` at the login=
page, entering targeted username such as ``admin``, and anything as passwo=
rd. This first attemp will fail, but the cookie is already set, and ready t=
o authenticate him/her to the control panel.
Blue Moon Consulting has verified the bug in version 4.0.1 Ultimate edition=
being showcased at http://www.interspire.com/shoppingcart/demo.php. It is =
highly likely that it also exists in older versions.
Workaround
----------
There is no workaround. Please apply the fix.
Fix
---
The problem has been fixed in v4.0.2.
Disclosure
----------
Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/pol=
icy.html>`_ in notifying vendors.
:Initial vendor contact:
January 07, 2009: Initial contact sent to customerservice@interspire.com =
and sales@interspire.com
:Vendor response:
January 08, 2009: Chris Boulton requested further communications to be ad=
dressed to him directly.
:Further communication:
January 08, 2009: Prepared advisory is sent to Chris and regular update i=
s requested.
January 08, 2009: Chris updated us with a proper fix.
January 08, 2009: Mitchell Harper updated us with Interspire's notificati=
on to their customers.
January 08, 2009: Mitchell and Chris requested us to hold off full disclo=
sure in 6 weeks to allow time for Interspire customers to get patched.
January 08, 2009: We agreed to hold it off till 4.0.2 was released.
January 08, 2009: Draft advisory was sent to Chris and Mitchell.
January 08, 2009: Chris clarified that 4.0.2 had been released to address=
the issue.
January 12, 2009: Mitchell requested us not to include full details such =
as steps to reproduce the bug.
January 12, 2009: We explained our disclosure policy again to Mitchell, a=
nd sent an updated advisory.
:Public disclosure: January 12, 2009
:Exploit code: No exploit code is needed.
Disclaimer
----------
The information provided in this advisory is provided "as is" without warra=
nty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, ei=
ther express or implied, including the warranties of merchantability and fi=
tness for a particular purpose. Your use of the information on the advisory=
or materials linked from the advisory is at your own risk. Blue Moon Consu=
lting Co., Ltd reserves the right to change or update this notice at any ti=
me.
--Signature=_Mon__12_Jan_2009_21_57_42_+0700_G9EH.7Zhk2hyzpta
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAklrWmYACgkQbKzcTD214ZeHkQCfYTV5y/x+UWWDwWa//nuUWzwA
3ScAn3Lfmb4EEXepEzDGPjJlT6ryaPP4
=ew7i
-----END PGP SIGNATURE-----
--Signature=_Mon__12_Jan_2009_21_57_42_+0700_G9EH.7Zhk2hyzpta--
|
|
Go to the Top of This SecurityTracker Archive Page
|
