KonaKart Storefront Application Cross Site Request Forgery

2014-09-22T00:00:00
ID PACKETSTORM:128342
Type packetstorm
Reporter Christian Schneider
Modified 2014-09-22T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
CVE-2014-5516  
===================  
"Cross-Site Request Forgery (CSRF) protection bypass" (CWE-352) vulnerability   
in "KonaKart Storefront Application" Enterprise Java eCommerce product  
  
  
Vendor  
===================  
DS Data Systems (UK) Ltd.  
  
  
Product  
===================  
"KonaKart is an affordable java based shopping cart software solution for online retailers.   
Let KonaKart help increase your eCommerce sales."  
- source: http://www.konakart.com  
  
"KonaKart is a Java eCommerce system aimed at medium to large online retailers."  
- source: https://en.wikipedia.org/wiki/KonaKart  
  
  
Affected versions  
===================  
This vulnerability affects versions of KonaKart Storefront Application prior to 7.3.0.0  
  
  
Patch  
===================  
The vendor has released a XSRF fix as part of version 7.3.0.0 at  
http://www.konakart.com/downloads/ver-7-3-0-0-whats-new  
  
  
Reported by  
===================  
This issue was reported to the vendor by Christian Schneider (@cschneider4711)   
following a responsible disclosure process.  
  
  
Severity  
===================  
Medium  
  
  
Description  
===================  
The existing CSRF protection token was checked for every POST request  
properly. When modifying the request from POST method to GET method   
all state-changing actions worked as well, but the CSRF token protection   
was no longer enforced, allowing CSRF attacks.  
  
  
Escalation potential  
====================  
Exploitation demonstration was responsibly provided along with the vulnerability   
report to the vendor, which changed a victim's mail address (using the CSRF   
protection bypass) to an attacker-supplied mail address, allowing a successful   
reset of victim's account password by the attacker.  
  
  
Timeline  
===================  
2014-05-02 Vulnerability discovered  
2014-05-02 Vulnerability responsibly reported to vendor  
2014-05-02 Reply from vendor acknowledging report  
2014-??-?? Vendor released patch as part of version 7.3.0.0  
2014-09-20 Advisory published via BugTraq  
  
  
References  
===================  
http://www.konakart.com/downloads/ver-7-3-0-0-whats-new  
http://www.christian-schneider.net/advisories/CVE-2014-5516.txt  
  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (Darwin)  
  
iEYEARECAAYFAlQd69cACgkQXYAsOfddvFOTVACgr/f5+x5kf60t5LaCqhH0pvSY  
QYoAnjiI0WSa3iGuw/OfXk3/vLV+liFm  
=61mn  
-----END PGP SIGNATURE-----  
`