lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <0D3B1ABA-8E49-4496-81D0-826C13B2D9AA@Christian-Schneider.net>
Date: Sat, 20 Sep 2014 23:12:11 +0200
From: Christian Schneider <mail@...istian-Schneider.net>
To: bugtraq@...urityfocus.com
Subject: CVE-2014-5516   CSRF protection bypass in "KonaKart" Java eCommerce product

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2014-5516
===================
"Cross-Site Request Forgery (CSRF) protection bypass" (CWE-352) vulnerability 
in "KonaKart Storefront Application" Enterprise Java eCommerce product


Vendor
===================
DS Data Systems (UK) Ltd.


Product
===================
"KonaKart is an affordable java based shopping cart software solution for online retailers. 
Let KonaKart help increase your eCommerce sales."
 - source: http://www.konakart.com

"KonaKart is a Java eCommerce system aimed at medium to large online retailers."
 - source: https://en.wikipedia.org/wiki/KonaKart


Affected versions
===================
This vulnerability affects versions of KonaKart Storefront Application prior to 7.3.0.0


Patch
===================
The vendor has released a XSRF fix as part of version 7.3.0.0 at
http://www.konakart.com/downloads/ver-7-3-0-0-whats-new


Reported by
===================
This issue was reported to the vendor by Christian Schneider (@cschneider4711) 
following a responsible disclosure process.


Severity
===================
Medium


Description
===================
The existing CSRF protection token was checked for every POST request
properly. When modifying the request from POST method to GET method 
all state-changing actions worked as well, but the CSRF token protection 
was no longer enforced, allowing CSRF attacks.


Escalation potential
====================
Exploitation demonstration was responsibly provided along with the vulnerability 
report to the vendor, which changed a victim's mail address (using the CSRF 
protection bypass) to an attacker-supplied mail address, allowing a successful 
reset of victim's account password by the attacker.


Timeline
===================
2014-05-02        Vulnerability discovered
2014-05-02        Vulnerability responsibly reported to vendor
2014-05-02        Reply from vendor acknowledging report
2014-??-??        Vendor released patch as part of version 7.3.0.0
2014-09-20        Advisory published via BugTraq


References
===================
http://www.konakart.com/downloads/ver-7-3-0-0-whats-new
http://www.christian-schneider.net/advisories/CVE-2014-5516.txt



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAlQd69cACgkQXYAsOfddvFOTVACgr/f5+x5kf60t5LaCqhH0pvSY
QYoAnjiI0WSa3iGuw/OfXk3/vLV+liFm
=61mn
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ