Interspire Shopping Cart Cookie 身份认证绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1183849 漏洞类型 授权问题
发布时间 2009-02-03 更新时间 2009-02-04
CVE编号 CVE-2009-0412 CNNVD-ID CNNVD-200902-059
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2009020114
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-059
|漏洞详情
InterspireShoppingCart(ISC)4.0.1终极版的class.auth.php中的ProcessLogin函数远程攻击者在一个失败的网关登录尝试后,再次使用RememberTokencookie,来绕过身份认证和获得管理访问权限。
|漏洞EXP
BLUE MOON SECURITY ADVISORY 2009-01
===================================

:Title: Authentication bypass in Interspire Shopping Cart
:Severity: Critical
:Reporter: Truong Van Tri and Blue Moon Consulting
:Products: Interspire Shopping Cart v4.0.1 Ultimate edition
:Fixed in: v4.0.2

Description
-----------

Interspire Shopping Cart (ISC) is ecommerce software that includes everything you need to start, run, promote and profit from your online store. It combines easy-to-customize store designs with marketing tools proven to significantly increase your sales.

In v4.0.1, ISC suffers from an authentication bypass problem. This allows anyone to login to ISC's control panel without knowing the administrator's password.

The problem is with ``class.auth.php``'s ``ProcessLogin`` function. This function sets a HTTPOnly cookie flag ``RememberToken`` too early in the process, even before the user is authenticated. A malicious user could force ``ProcessLogin`` to set this cookie by ticking on ``Remember me`` at the login page, entering targeted username such as ``admin``, and anything as password. This first attemp will fail, but the cookie is already set, and ready to authenticate him/her to the control panel.

Blue Moon Consulting has verified the bug in version 4.0.1 Ultimate edition being showcased at http://www.interspire.com/shoppingcart/demo.php. It is highly likely that it also exists in older versions.

Workaround
----------

There is no workaround. Please apply the fix.

Fix
---

The problem has been fixed in v4.0.2.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

January 07, 2009: Initial contact sent to customerservice (at) interspire (dot) com [email concealed] and sales (at) interspire (dot) com [email concealed]

:Vendor response:

January 08, 2009: Chris Boulton requested further communications to be addressed to him directly.

:Further communication:

January 08, 2009: Prepared advisory is sent to Chris and regular update is requested.

January 08, 2009: Chris updated us with a proper fix.

January 08, 2009: Mitchell Harper updated us with Interspire's notification to their customers.

January 08, 2009: Mitchell and Chris requested us to hold off full disclosure in 6 weeks to allow time for Interspire customers to get patched.

January 08, 2009: We agreed to hold it off till 4.0.2 was released.

January 08, 2009: Draft advisory was sent to Chris and Mitchell.

January 08, 2009: Chris clarified that 4.0.2 had been released to address the issue.

January 12, 2009: Mitchell requested us not to include full details such as steps to reproduce the bug.

January 12, 2009: We explained our disclosure policy again to Mitchell, and sent an updated advisory.

:Public disclosure: January 12, 2009

:Exploit code: No exploit code is needed.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAklrWmYACgkQbKzcTD214ZeHkQCfYTV5y/x+UWWDwWa//nuUWzwA
3ScAn3Lfmb4EEXepEzDGPjJlT6ryaPP4
=ew7i
-----END PGP SIGNATURE-----
|参考资料

来源:XF
名称:interspire-classauth-security-bypass(47899)
链接:http://xforce.iss.net/xforce/xfdb/47899
来源:SECTRACK
名称:1021557
链接:http://www.securitytracker.com/id?1021557
来源:BID
名称:33212
链接:http://www.securityfocus.com/bid/33212
来源:BUGTRAQ
名称:20090112[BMSA-2009-01]AuthenticationbypassinInterspireShoppingCartv4.0.1andbelow
链接:http://www.securityfocus.com/archive/1/archive/1/499967/100/0/threaded