OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: aliassecurityfocus.com
Date: Mon Jun 10 2002 - 10:42:27 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    iDEFENSE Security Advisory 06.10.2002

    Datalex BookIt! Consumer Password Vulnerabilities

    DESCRIPTION

    Datalex PLC's BookIt! Consumer stores and transmits passwords in clear text. BookIt! is a suite of travel booking products that allows airlines, travel agencies and other travel enterprises to sell travel reservations via a web based portal. BookIt! is used by many corporations including Amtrak, as noted on their company website (http://www.datalex.com/company_clients.asp).

    By default, BookIt! Consumer does not handle passwords securely. Specifically, the following two vulnerabilities exist:

    1. When generating or updating a profile, the user is presented with the following three options:

    * Save User ID to this computer?
    * Save User ID and Password to this computer?
    * Don't Save User ID and Password to this computer.

    If either of the first two options are selected, the user ID and/or password are stored in a cookie in clear text. The cookie uses the following format:

    bookituserid1055
    user_ID
    powered.gohop.com/JBookIt
    1536
    3759767808
    29567477
    812114976
    29494044
    *
    bookitpassword1055
    password
    powered.gohop.com/JBookIt
    1536
    3759767808
    29567477
    812274976
    29494044

    As seen above, the user ID and password are clearly visible. It should be noted that tickets.amtrak.com uses "Save Amtrak User ID and Password to this computer?" as its default setting.

    2. When updating a profile, certain sites (e.g. tickets.amtrak.com) pass all form variables, including passwords using the GET method.

    The following web sites contain the aforementioned vulnerabilities:

    * http://powered.gohop.com/backpacker/home.htm
    * http://tickets.amtrak.com

    SOURCES

    Datalex, http://www.datalex.com, June 3, 2002
    Jim Peters, Jim.Petersdatalex.com, June 3-5, 2002

    ANALYSIS

    Storing authentication credentials in cookies is never a good idea as cookies can be stolen through cross-site scripting attacks or local access to the hard drive. Once cookies have been stolen, an attacker can gain access to the vulnerable site and masquerade as a legitimate user. This vulnerability is enhanced when authentication credentials are stored in clear text. In this situation the username and password can be obtained merely by viewing the cookie contents.

    Passing sensitive variables such as passwords in the URL using the GET method may expose the authentication credentials to attackers. URLs may be stored in proxy or web server log files. Anyone that has access to the logs will be able to view the user's credentials in clear text.

    VENDOR RESPONSE

    Datalex Bookit! Consumer prior to version 2.2 is vulnerable. According to Datalex, version 2.2 and above encrypt passwords using the Tiny Encryption Algorithm prior to storing them in a cookies.

    WORKAROUND

    Users can prevent having authentication credentials stored within cookies in clear text by using the "Don't Save User ID and Password to this computer" option when creating or updating user profiles. Reconfiguring the web server to pass form variables using the POST method could prevent the second vulnerability.

    VENDOR FIX

    Upgrade to Bookit! Consumer version 2.2 by contacting Datalex.

    Michael Sutton, CISA
    Senior Security Engineer
    iDEFENSE Labs
    14151 Newbrook Drive, Suite 100
    Chantilly, VA 20151
    direct: 703.344.2628
    voice: 703.961.1070
    fax: 703.961.1071

    msuttonidefense.com
    www.idefense.com