Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21193
HistoryJan 18, 2009 - 12:00 a.m.

[BMSA-2009-01] Authentication bypass in Interspire Shopping Cart v4.0.1 and below

2009-01-1800:00:00
vulners.com
12

BLUE MOON SECURITY ADVISORY 2009-01

:Title: Authentication bypass in Interspire Shopping Cart
:Severity: Critical
:Reporter: Truong Van Tri and Blue Moon Consulting
:Products: Interspire Shopping Cart v4.0.1 Ultimate edition
:Fixed in: v4.0.2

Description

Interspire Shopping Cart (ISC) is ecommerce software that includes everything you need to start,
run, promote and profit from your online store. It combines easy-to-customize store designs with
marketing tools proven to significantly increase your sales.

In v4.0.1, ISC suffers from an authentication bypass problem. This allows anyone to login to ISC's
control panel without knowing the administrator's password.

The problem is with ``class.auth.php``'s ``ProcessLogin`` function. This function sets a HTTPOnly
cookie flag ``RememberToken`` too early in the process, even before the user is authenticated. A
malicious user could force ``ProcessLogin`` to set this cookie by ticking on ``Remember me`` at the
login page, entering targeted username such as ``admin``, and anything as password. This first
attemp will fail, but the cookie is already set, and ready to authenticate him/her to the control
panel.

Blue Moon Consulting has verified the bug in version 4.0.1 Ultimate edition being showcased at
http://www.interspire.com/shoppingcart/demo.php. It is highly likely that it also exists in older
versions.

Workaround

There is no workaround. Please apply the fix.

Fix

The problem has been fixed in v4.0.2.

Disclosure

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html&gt;&#96;_ in notifying
vendors.

:Initial vendor contact:

January 07, 2009: Initial contact sent to [email protected] and [email protected]

:Vendor response:

January 08, 2009: Chris Boulton requested further communications to be addressed to him directly.

:Further communication:

January 08, 2009: Prepared advisory is sent to Chris and regular update is requested.

January 08, 2009: Chris updated us with a proper fix.

January 08, 2009: Mitchell Harper updated us with Interspire's notification to their customers.

January 08, 2009: Mitchell and Chris requested us to hold off full disclosure in 6 weeks to allow
time for Interspire customers to get patched.

January 08, 2009: We agreed to hold it off till 4.0.2 was released.

January 08, 2009: Draft advisory was sent to Chris and Mitchell.

January 08, 2009: Chris clarified that 4.0.2 had been released to address the issue.

January 12, 2009: Mitchell requested us not to include full details such as steps to reproduce
the bug.

January 12, 2009: We explained our disclosure policy again to Mitchell, and sent an updated
advisory.

:Public disclosure: January 12, 2009

:Exploit code: No exploit code is needed.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Blue
Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the
warranties of merchantability and fitness for a particular purpose. Your use of the information on
the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co.,
Ltd reserves the right to change or update this notice at any time.