|
Brought to you by:
Suppliers of:
|
|
|
| |
| Sapphire/Web is a framework for iCommerce platforms. This product has a security flaw in its authentication scheme that allows an attacker to easily replace his identity with the identity of any other currently connected clients. |
| |
Credit:
This vulnerability has been found by: INTRINsec.
|
| |
To authenticate its clients, Sapphire/Web uses an id stored in a session cookie for authentication. After sending your login and password, Sapphire/Web sends you back a session cookie containing your id for this session.
There are two flaws in their id authentication scheme:
- the id is highly predictable : it is a counter incremented one by one, so given your id, it is easy to guess the id of people connected just before you.
- the id lasts for the entire session: it isn't renewed at each http request, so you are sure that if the session hasn't been disconnected, its id is valid.
All the attacker has to do is to connect to Sapphire/Web server with a valid login/password and note his id. Then make a request with a decreased id in its cookie. With some luck, he will access the session of another client.
Bluestone doesn't provide a patch for this problem. You have to upgrade your software to the new version (V6.X) that allows you to use your own authentication scheme instead of Bluestone's authentication scheme (which is flawed).
|
|
|
|
|
