Reporter Packet Storm
`Subject: [Security] Spoofed Id in Bluestone Sapphire/Web
INTRINsec Security Advisory
Release Date : September 02, 1999
Software : Bluestone Sapphire/Web V5
Operating System: Solaris
Impact : The attacker can access the session of other connected clients.
Author : Gerald.Grevrend@INTRINsec.com
Status : Bluestone is advised from this.
URLs : http://www.INTRINsec.com
__ Diggest __
Sapphire/Web is a framework for iCommerce platforms. This product has a
security flaw in its authentication scheme that allows an attacker
to easily usurpate the identity of the currently connected clients.
Bluestone is advised from this and wont correct this bug.
__ Technical Details and Exploits __
To authenticate its clients, Sapphire/Web uses an id stored in a session
cookie as authentication scheme. After you have sent your login/password,
Sapphire/Web sends you back a session cookie containing your id for this
There are two flaws in their id authentication scheme :
- the id is higly predictable : it is a counter incremented one by one,
so given your id, it is easy to guess the id of people connected just before
- the id longs all your session : it isn't renewed at each http request,
so you are sure that if the session hasn't been disconnected, its id is
All the attacker has to do is to connect to Sapphire/Web server with a valid
login/password and note its id. Then he can make a request with a decreased
id in its cookie.
With some luck, he will access the session of another client.
__ Solutions __
Bluestone doesn't provide a patch for this problem. You have to upgrade your
software to the new version (V6.X) that allows you to use your own
__ Contacts __
-- Bluestone Software --
1000 Briggs Road
Mount Laurel, New Jersey 08054-4101
-- INTRINsec --
INTRINsec is a French Security Specialist.
This advisory is available in french.
Cet avis est disponible en francais sur notre site.
__ DISCLAMERS __
INTRINsec DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, AND PROVIDED
THESES INFORMATIONS "AS IS" WITHOUT WARRANTY OF ANY KIND. INTRINsec IS NOT
LIABLE FOR ANY DAMAGES WHATSOEVER EVEN IF INTRINsec HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
Gerald Grevrend : Securite Informatique