bluestone.txt

1999-09-19T00:00:00
ID PACKETSTORM:15646
Type packetstorm
Reporter Packet Storm
Modified 1999-09-19T00:00:00

Description

                                        
                                            `Subject: [Security] Spoofed Id in Bluestone Sapphire/Web  
To: BUGTRAQ@SECURITYFOCUS.COM   
  
  
INTRINsec Security Advisory  
  
  
  
Release Date : September 02, 1999  
Software : Bluestone Sapphire/Web V5  
Operating System: Solaris  
Impact : The attacker can access the session of other connected clients.  
Author : Gerald.Grevrend@INTRINsec.com  
Status : Bluestone is advised from this.  
URLs : http://www.INTRINsec.com  
  
  
  
__ Diggest __  
  
  
Sapphire/Web is a framework for iCommerce platforms. This product has a  
security flaw in its authentication scheme that allows an attacker  
to easily usurpate the identity of the currently connected clients.  
  
  
Bluestone is advised from this and wont correct this bug.  
  
  
  
__ Technical Details and Exploits __  
  
  
To authenticate its clients, Sapphire/Web uses an id stored in a session  
cookie as authentication scheme. After you have sent your login/password,  
Sapphire/Web sends you back a session cookie containing your id for this  
session.  
There are two flaws in their id authentication scheme :  
- the id is higly predictable : it is a counter incremented one by one,  
so given your id, it is easy to guess the id of people connected just before  
you.  
- the id longs all your session : it isn't renewed at each http request,  
so you are sure that if the session hasn't been disconnected, its id is  
valid.  
  
  
All the attacker has to do is to connect to Sapphire/Web server with a valid  
login/password and note its id. Then he can make a request with a decreased  
id in its cookie.  
With some luck, he will access the session of another client.  
  
  
__ Solutions __  
  
  
Bluestone doesn't provide a patch for this problem. You have to upgrade your  
software to the new version (V6.X) that allows you to use your own  
authentication scheme.  
  
  
__ Contacts __  
  
  
  
-- Bluestone Software --  
Support Services  
1000 Briggs Road  
Mount Laurel, New Jersey 08054-4101  
Phone: 856.778.7900  
Fax: 856.234.2877  
support@bluestone.com  
http://www.bluestone.com  
  
  
  
-- INTRINsec --  
  
  
INTRINsec is a French Security Specialist.  
http://www.INTRINsec.com  
This advisory is available in french.  
Cet avis est disponible en francais sur notre site.  
  
  
  
__ DISCLAMERS __  
  
  
  
INTRINsec DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, AND PROVIDED  
THESES INFORMATIONS "AS IS" WITHOUT WARRANTY OF ANY KIND. INTRINsec IS NOT  
LIABLE FOR ANY DAMAGES WHATSOEVER EVEN IF INTRINsec HAS BEEN ADVISED OF THE  
POSSIBILITY OF SUCH DAMAGES.  
  
  
--  
Gerald Grevrend : Securite Informatique  
http://www.INTRINsec.com  
`