[Security] Spoofed Id in Bluestone Sapphire/Web

From: Gérald Grévren (ggdat_private)
Date: Wed Sep 08 1999 - 01:04:14 PDT

Next message: Mnemonix: "Protected Storage Service on Windows 2000 (Beta 3)"

Previous message: Lamont Granquist: "Re: Local DoS on network by unpriviledged user using setsockopt()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 INTRINsec Security Advisory


Release Date    : September 02, 1999
Software	: Bluestone Sapphire/Web V5
Operating System: Solaris
Impact		: The attacker can access the session of other connected clients.
Author		: Gerald.Grevrendat_private
Status		: Bluestone is advised from this.
URLs		: http://www.INTRINsec.com


__ Diggest __

Sapphire/Web is a framework for iCommerce platforms. This product has a
security flaw in its authentication scheme that allows an attacker
to easily usurpate the identity of the currently connected clients.

Bluestone is advised from this and wont correct this bug.


__ Technical Details and Exploits __

To authenticate its clients, Sapphire/Web uses an id stored in a session
cookie as authentication scheme. After you have sent your login/password,
Sapphire/Web sends you back a session cookie containing your id for this
session.
There are two flaws in their id authentication scheme :
   - the id is higly predictable : it is a counter incremented one by one,
so given your id, it is easy to guess the id of people connected just before
you.
   - the id longs all your session : it isn't renewed at each http request,
so you are sure that if the session hasn't been disconnected, its id is
valid.

All the attacker has to do is to connect to Sapphire/Web server with a valid
login/password and note its id. Then he can make a request with a decreased
id in its cookie.
With some luck, he will access the session of another client.

__ Solutions __

Bluestone doesn't provide a patch for this problem. You have to upgrade your
software to the new version (V6.X) that allows you to use your own
authentication scheme.

__ Contacts __


 -- Bluestone Software --
 Support Services
 1000 Briggs Road
 Mount Laurel, New Jersey 08054-4101
 Phone: 856.778.7900
 Fax: 856.234.2877
 supportat_private
 http://www.bluestone.com


 -- INTRINsec --

 INTRINsec is a French Security Specialist.
 http://www.INTRINsec.com
 This advisory is available in french.
 Cet avis est disponible en francais sur notre site.


__ DISCLAMERS __


INTRINsec DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, AND PROVIDED
THESES INFORMATIONS "AS IS" WITHOUT WARRANTY OF ANY KIND. INTRINsec IS NOT
LIABLE FOR ANY DAMAGES WHATSOEVER EVEN IF INTRINsec HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.

--
Gerald Grevrend : Securite Informatique
http://www.INTRINsec.com

Next message: Mnemonix: "Protected Storage Service on Windows 2000 (Beta 3)"
Previous message: Lamont Granquist: "Re: Local DoS on network by unpriviledged user using setsockopt()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:02:37 PDT