BLUE MOON SECURITY ADVISORY 2009-01 =================================== :Title: Authentication bypass in Interspire Shopping Cart :Severity: Critical :Reporter: Truong Van Tri and Blue Moon Consulting :Products: Interspire Shopping Cart v4.0.1 Ultimate edition :Fixed in: v4.0.2 Description ----------- Interspire Shopping Cart (ISC) is ecommerce software that includes everything you need to start, run, promote and profit from your online store. It combines easy-to-customize store designs with marketing tools proven to significantly increase your sales. In v4.0.1, ISC suffers from an authentication bypass problem. This allows anyone to login to ISC's control panel without knowing the administrator's password. The problem is with ``class.auth.php``'s ``ProcessLogin`` function. This function sets a HTTPOnly cookie flag ``RememberToken`` too early in the process, even before the user is authenticated. A malicious user could force ``ProcessLogin`` to set this cookie by ticking on ``Remember me`` at the login page, entering targeted username such as ``admin``, and anything as password. This first attemp will fail, but the cookie is already set, and ready to authenticate him/her to the control panel. Blue Moon Consulting has verified the bug in version 4.0.1 Ultimate edition being showcased at http://www.interspire.com/shoppingcart/demo.php. It is highly likely that it also exists in older versions. Workaround ---------- There is no workaround. Please apply the fix. Fix --- The problem has been fixed in v4.0.2. Disclosure ---------- Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors. :Initial vendor contact: January 07, 2009: Initial contact sent to customerservice (at) interspire (dot) com [email concealed] and sales (at) interspire (dot) com [email concealed] :Vendor response: January 08, 2009: Chris Boulton requested further communications to be addressed to him directly. :Further communication: January 08, 2009: Prepared advisory is sent to Chris and regular update is requested. January 08, 2009: Chris updated us with a proper fix. January 08, 2009: Mitchell Harper updated us with Interspire's notification to their customers. January 08, 2009: Mitchell and Chris requested us to hold off full disclosure in 6 weeks to allow time for Interspire customers to get patched. January 08, 2009: We agreed to hold it off till 4.0.2 was released. January 08, 2009: Draft advisory was sent to Chris and Mitchell. January 08, 2009: Chris clarified that 4.0.2 had been released to address the issue. January 12, 2009: Mitchell requested us not to include full details such as steps to reproduce the bug. January 12, 2009: We explained our disclosure policy again to Mitchell, and sent an updated advisory. :Public disclosure: January 12, 2009 :Exploit code: No exploit code is needed. Disclaimer ---------- The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAklrWmYACgkQbKzcTD214ZeHkQCfYTV5y/x+UWWDwWa//nuUWzwA 3ScAn3Lfmb4EEXepEzDGPjJlT6ryaPP4 =ew7i -----END PGP SIGNATURE-----