<<< Date Index >>>     <<< Thread Index >>>

[BMSA-2009-01] Authentication bypass in Interspire Shopping Cart v4.0.1 and below



BLUE MOON SECURITY ADVISORY 2009-01
===================================


:Title: Authentication bypass in Interspire Shopping Cart
:Severity: Critical
:Reporter: Truong Van Tri and Blue Moon Consulting
:Products: Interspire Shopping Cart v4.0.1 Ultimate edition
:Fixed in: v4.0.2


Description
-----------

Interspire Shopping Cart (ISC) is ecommerce software that includes everything 
you need to start, run, promote and profit from your online store. It combines 
easy-to-customize store designs with marketing tools proven to significantly 
increase your sales.

In v4.0.1, ISC suffers from an authentication bypass problem. This allows 
anyone to login to ISC's control panel without knowing the administrator's 
password.

The problem is with ``class.auth.php``'s ``ProcessLogin`` function. This 
function sets a HTTPOnly cookie flag ``RememberToken`` too early in the 
process, even before the user is authenticated. A malicious user could force 
``ProcessLogin`` to set this cookie by ticking on ``Remember me`` at the login 
page, entering targeted username such as ``admin``, and anything as password. 
This first attemp will fail, but the cookie is already set, and ready to 
authenticate him/her to the control panel.

Blue Moon Consulting has verified the bug in version 4.0.1 Ultimate edition 
being showcased at http://www.interspire.com/shoppingcart/demo.php. It is 
highly likely that it also exists in older versions.

Workaround
----------

There is no workaround. Please apply the fix.

Fix
---

The problem has been fixed in v4.0.2.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 
<http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

  January 07, 2009: Initial contact sent to customerservice@xxxxxxxxxxxxxx and 
sales@xxxxxxxxxxxxxx

:Vendor response:

  January 08, 2009: Chris Boulton requested further communications to be 
addressed to him directly.

:Further communication:

  January 08, 2009: Prepared advisory is sent to Chris and regular update is 
requested.

  January 08, 2009: Chris updated us with a proper fix.

  January 08, 2009: Mitchell Harper updated us with Interspire's notification 
to their customers.

  January 08, 2009: Mitchell and Chris requested us to hold off full disclosure 
in 6 weeks to allow time for Interspire customers to get patched.

  January 08, 2009: We agreed to hold it off till 4.0.2 was released.

  January 08, 2009: Draft advisory was sent to Chris and Mitchell.

  January 08, 2009: Chris clarified that 4.0.2 had been released to address the 
issue.

  January 12, 2009: Mitchell requested us not to include full details such as 
steps to reproduce the bug.

  January 12, 2009: We explained our disclosure policy again to Mitchell, and 
sent an updated advisory.

:Public disclosure: January 12, 2009

:Exploit code: No exploit code is needed.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty 
of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness for 
a particular purpose. Your use of the information on the advisory or materials 
linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd 
reserves the right to change or update this notice at any time.

Attachment: pgpPkGxlL6Lx2.pgp
Description: PGP signature