Spree e-commerce JSON Hijacking Vulnerabilities

2010.11.20
Credit: Rodrigo Branco
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2010-3978
CWE: CWE-200


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Dear List, I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Spree e-commerce JSON Hijacking Vulnerabilities CVE-2010-3978 INTRODUCTION Spree e-commerce is an open source commerce platform written for the Ruby on Rails framework supporting "Over 100 extensions created by our active and dedicated community". This problem was confirmed in the following versions of the Spree e-commerce, other versions maybe also affected. All 0.11.x versions The upcoming code 0.30.x versions CVSS Scoring System The CVSS score is: 2.7 Base Score: 3.3 Temporal Score: 2.7 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:N/A:N Temporal score is: E:F/RL:OF/RC:C DETAILS There are multiple JSON Hijacking vulnerabilities and as result, an attacker can steal confidential information such as: product costs, price and quantities and users email, encrypted password, tokens, OpenID identifier, phone and address as well as orders count and values by period. There are some pages within the default Spree installation that use JavaScript Object Notation (JSON) as a transport mechanism between the client and the server. As the application cannot differentiate real requests from forged requests, and the JSON object returned can be accessed by the attacker's malicious code via a script tag, those pages are vulnerable to an attack known as JSON Hijacking. The affected pages are: - /admin/products.json - /admin/users.json - /admin/overview/get_report_data Proof of concept exploitation code is available to interested parties. CREDITS This vulnerability has been brought to our attention by Gabriel Quadros from Conviso IT Security company (http://www.conviso.com.br) and researched internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT). -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies http://www.checkpoint.com/defense

References:

http://spreecommerce.com/blog/2010/11/09/spree-0-30-0-released/
https://github.com/railsdog/spree/commit/d881b2bb610ea33e2364ff16feb8e702dfeda135
https://github.com/railsdog/spree/commit/19944bd999c310d9b10d16a41f48ebac97dc4fac
http://www.securityfocus.com/archive/1/archive/1/514674/100/0/threaded
http://www.conviso.com.br/security-advisory-spree-e-commerce-json-v-0-11x/
http://www.conviso.com.br/json-hijacking-vulnerability/
http://twitter.com/conviso/statuses/29555076248
http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top