BLUE MOON SECURITY ADVISORY 2009-01

Title:Authentication bypass in Interspire Shopping Cart
Severity:Critical
Reporter:Truong Van Tri and Blue Moon Consulting
Products:Interspire Shopping Cart v4.0.1 Ultimate edition
Fixed in:v4.0.2

Description

Interspire Shopping Cart (ISC) is ecommerce software that includes everything you need to start, run, promote and profit from your online store. It combines easy-to-customize store designs with marketing tools proven to significantly increase your sales.

In v4.0.1, ISC suffers from an authentication bypass problem. This allows anyone to login to ISC's control panel without knowing the administrator's password.

The problem is with class.auth.php's ProcessLogin function. This function sets a HTTPOnly cookie flag RememberToken too early in the process, even before the user is authenticated. A malicious user could force ProcessLogin to set this cookie by ticking on Remember me at the login page, entering targeted username such as admin, and anything as password. This first attemp will fail, but the cookie is already set, and ready to authenticate him/her to the control panel.

Blue Moon Consulting has verified the bug in version 4.0.1 Ultimate edition being showcased at http://www.interspire.com/shoppingcart/demo.php. It is highly likely that it also exists in older versions.

Workaround

There is no workaround. Please apply the fix.

Fix

The problem has been fixed in v4.0.2.

Disclosure

Blue Moon Consulting adapts RFPolicy v2.0 in notifying vendors.

Initial vendor contact:
 

January 07, 2009: Initial contact sent to customerservice@interspire.com and sales@interspire.com

Vendor response:
 

January 08, 2009: Chris Boulton requested further communications to be addressed to him directly.

Further communication:
 

January 08, 2009: Prepared advisory is sent to Chris and regular update is requested.

January 08, 2009: Chris updated us with a proper fix.

January 08, 2009: Mitchell Harper updated us with Interspire's notification to their customers.

January 08, 2009: Mitchell and Chris requested us to hold off full disclosure in 6 weeks to allow time for Interspire customers to get patched.

January 08, 2009: We agreed to hold it off till 4.0.2 was released.

January 08, 2009: Draft advisory was sent to Chris and Mitchell.

January 08, 2009: Chris clarified that 4.0.2 had been released to address the issue.

January 12, 2009: Mitchell requested us not to include full details such as steps to reproduce the bug.

January 12, 2009: We explained our disclosure policy again to Mitchell, and sent an updated advisory.

Public disclosure:
 

January 12, 2009

Exploit code:

No exploit code is needed.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.