Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Mon Jun 10 2002 - 10:42:27 CDT
iDEFENSE Security Advisory 06.10.2002
Datalex BookIt! Consumer Password Vulnerabilities
Datalex PLC's BookIt! Consumer stores and transmits passwords in clear text. BookIt! is a suite of travel booking products that allows airlines, travel agencies and other travel enterprises to sell travel reservations via a web based portal. BookIt! is used by many corporations including Amtrak, as noted on their company website (http://www.datalex.com/company_clients.asp).
By default, BookIt! Consumer does not handle passwords securely. Specifically, the following two vulnerabilities exist:
1. When generating or updating a profile, the user is presented with the following three options:
* Save User ID to this computer?
* Save User ID and Password to this computer?
* Don't Save User ID and Password to this computer.
If either of the first two options are selected, the user ID and/or password are stored in a cookie in clear text. The cookie uses the following format:
As seen above, the user ID and password are clearly visible. It should be noted that tickets.amtrak.com uses "Save Amtrak User ID and Password to this computer?" as its default setting.
2. When updating a profile, certain sites (e.g. tickets.amtrak.com) pass all form variables, including passwords using the GET method.
The following web sites contain the aforementioned vulnerabilities:
Datalex, http://www.datalex.com, June 3, 2002
Jim Peters, Jim.Petersdatalex.com, June 3-5, 2002
Storing authentication credentials in cookies is never a good idea as cookies can be stolen through cross-site scripting attacks or local access to the hard drive. Once cookies have been stolen, an attacker can gain access to the vulnerable site and masquerade as a legitimate user. This vulnerability is enhanced when authentication credentials are stored in clear text. In this situation the username and password can be obtained merely by viewing the cookie contents.
Passing sensitive variables such as passwords in the URL using the GET method may expose the authentication credentials to attackers. URLs may be stored in proxy or web server log files. Anyone that has access to the logs will be able to view the user's credentials in clear text.
Datalex Bookit! Consumer prior to version 2.2 is vulnerable. According to Datalex, version 2.2 and above encrypt passwords using the Tiny Encryption Algorithm prior to storing them in a cookies.
Users can prevent having authentication credentials stored within cookies in clear text by using the "Don't Save User ID and Password to this computer" option when creating or updating user profiles. Reconfiguring the web server to pass form variables using the POST method could prevent the second vulnerability.
Upgrade to Bookit! Consumer version 2.2 by contacting Datalex.
Michael Sutton, CISA
Senior Security Engineer
14151 Newbrook Drive, Suite 100
Chantilly, VA 20151