| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Aug 2014 19:58:02 +1000 From: Nik Cubrilovic <nikcub@...il.com> To: fulldisclosure@...lists.org Subject: [FD] CS-Cart v4.2.0 Session Hijack and Other Vulnerabilities Vendor: CS-Cart Homepage: https://www.cs-cart.com Fixed in: v4.2.1 Released: July 22nd 2014 CS-Cart is 127MB of shitty PHP and HTML code that is supposed to function as a secure e-commerce site. It is developed by people who don't reply to emails but who covertly patch bugs reported to them and then don't tell anyone about it. For some reason a lot of people run it, and pay for it, and store customer credit cards in it. In versions up to v4.2.0 the session ID is nothing more than the md5 hash of uniqid() with time() passed to it. Turns out uniqid() is itself nothing more than a call to time(), and that makes a horrible session ID. Other bugs mean you can trigger session regeneration with a URL, meaning you can narrow down the brute force search space. Blog post explainer with exploit etc. here: https://www.nikcub.com/posts/cs-cart-v4-2-0-session-hijacking-and-other-vulnerabilities/ Vendor changelog with no mention of security: http://www.cs-cart.com/changelog421.html see line: > Sessions: Session ID is now generated with the OpenSSL:openssl_random_pseudo_bytes function. Both my bug and my suggestion. You're welcome. Nik _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists