lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAM95LejBfJ3nKOkg2JHzwd_LxLgkGmdB_qMJcLgOTzMiFZnWrA@mail.gmail.com>
Date: Thu, 7 Aug 2014 19:58:02 +1000
From: Nik Cubrilovic <nikcub@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CS-Cart v4.2.0 Session Hijack and Other Vulnerabilities

Vendor: CS-Cart
Homepage: https://www.cs-cart.com
Fixed in: v4.2.1
Released: July 22nd 2014

CS-Cart is 127MB of shitty PHP and HTML code that is supposed to
function as a secure e-commerce site. It is developed by people who
don't reply to emails but who covertly patch bugs reported to them and
then don't tell anyone about it. For some reason a lot of people run
it, and pay for it, and store customer credit cards in it.

In versions up to v4.2.0 the session ID is nothing more than the md5
hash of uniqid() with time() passed to it. Turns out uniqid() is
itself nothing more than a call to time(), and that makes a horrible
session ID.

Other bugs mean you can trigger session regeneration with a URL,
meaning you can narrow down the brute force search space.

Blog post explainer with exploit etc. here:

https://www.nikcub.com/posts/cs-cart-v4-2-0-session-hijacking-and-other-vulnerabilities/

Vendor changelog with no mention of security:

http://www.cs-cart.com/changelog421.html

see line:

> Sessions: Session ID is now generated with the OpenSSL:openssl_random_pseudo_bytes function.

Both my bug and my suggestion. You're welcome.

Nik

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ