Zen Cart 远程攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189942 漏洞类型 授权问题
发布时间 2007-07-06 更新时间 2007-07-06
CVE编号 CVE-2007-3597 CNNVD-ID CNNVD-200707-109
漏洞平台 N/A CVSS评分 8.5
Team Intell Security Advisory TISA2007-05
Zen Cart 1.3.7 - Session fixation Issue in backend Administration interface

Release date: 05.07.2007
Severity: Moderately critical
Remote-Exploit: yes
Impact: Session fixation
Status: Official patch not available
Software: Zen Cart 1.3.7
Tested on: Zen Cart 1.3.7
Vendor: http://www.zen-cart.com
Vendor-Status: informed/Patched
Disclosed by: Tomaz Bratusa (Team Intell)[TISA-2007-05]


Zen Cart 1.3.7 is a popular open source shopping cart system.

Security Risk
It is possible to manipulate administrator interface cookies, which may be used to impersonate a legitimate user, allowing the attacker to view or alter user records, and to perform transactions as that user.
The Cookie variable can be set to a malicious and arbitrary value which can lead to session hijacking and privilege escalation attack.

Possible Causes
Insecure web application programming or configuration

Technical Description
Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker waits for the user to login, and then uses the predefined session ID value to assume the user's online identity.

In general, there are two types of session management systems for ID values. The first type is "permissive" systems, that allow web browsers to specify any ID. The second type is "strict" systems, that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the web site. Strict systems require that the attacker maintain the "trap-session", with periodic web site contact, preventing inactivity timeouts.

Without active protection against session fixation, the attack can be mounted against any web site using sessions to identify authenticated users. Web sites using session IDs are normally cookie-based, but URLs and hidden form-fields are used as well. Unfortunately, cookie-based sessions are the easiest to attack. Most of the currently identified attack methods are aimed toward the fixation of cookies.

In contrast to stealing a user's session ID after they have logged into a web site, session fixation provides a much wider window of opportunity. The active part of the attack takes place before the user logs in.

The session fixation attack is normally a three step process:

1) Session Set-Up  
The attacker sets up a "trap-session" for the target web site and obtains that session's ID, or the attacker may select an arbitrary session ID used in the attack. In some cases, the established trap session value must be maintained with repeated web site contact.

2) Session Fixation  
The attacker introduces the trap session value into the user's browser and fixes the user's session ID.

3) Session Entrance  
The attacker waits until the user logs into the target web site, and then, when the fixed session ID value is used, the attacker may take over."

1.Regenerate SID on each request:
A powerful countermeassure against session fixation is to
"regenerate" session identifier (SID) on each request.
This means that although attacker may trick a user into accepting
a known SID, the SID will be invalid when attacker attempts to
re-use the SID.

2. Accept only server generated SID:
One way to improve security is to not accept session identifiers
not generated by server.

if ( ! isset( $_SESSION['SERVER_GENERATED_SID'] ) ) {
session_destroy(); // destroy all data in session
session_regenerate_id(); // generate a new session identifier


20.06.2007 discovery of the vulnerability
20.06.2007 contacted the vendor
20.06.2007 advisory is written

02.07.2007 Patch becomes available


Maldin d.o.o.
Trzaska cesta 2
1000 Ljubljana - SI

tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
e-mail: info (at) teamintell (dot) com [email concealed]


The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk.
Zen Cart Zen Cart 1.3.7