[NEWS] IConnectHere.com Unencrypted Cookie Vulnerability
From: support@securiteam.comDate: 11/13/01
- Previous message: support@securiteam.com: "[UNIX] Multiple Vulnerabilities in lpd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] IConnectHere.com Unencrypted Cookie Vulnerability Message-Id: <20011113222339.0A639138BF@mail.der-keiler.de> Date: Tue, 13 Nov 2001 23:23:39 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
IConnectHere.com Unencrypted Cookie Vulnerability
------------------------------------------------------------------------
SUMMARY
IConnectHere.com is a popular IP telephony service provider that allows
its users to manage their account from the web. There are several security
problems with its account management system and authentication
infrastructure that can lead to the compromise of the used UserID and
Password.
DETAILS
By default, if a user connects to their web site to manage his/her
account, the web server sets a cookie with the pattern:
Cookie:backup=UID=XXXXXXXX&FIRSTNAME=ABC &CURRENCY%5FSYMBOL=%24&PIN=XXXX&
AID=3&PROMOID=132&CURRENCYID=161 &PRICEPLAN=247&BANKED=0&STATUS=3 &LASTNA
ME=DEF&BALANCE=1097&PCTOPHONETYPEID=4 &EMAIL=xxx%40sample%2Eorg&LANGID=29&
ZONESYMBOL=EST;FVAL=XX5FGHY=
A5BF6767ED3D51181F10508B11F4E1;FlatRate=STATUS
=%2D1;D3Box=FILESERVERIP= 213%2E137%2E73%2E160&FILESERVERDIR=
ipost&MAILADDRE
SS=+&COOKIESTATUS=+
As seen above, this cookie is not encrypted while being stored on the
client side and therefore it is not decrypted on server side.
Under Windows NT/2000 cookies are only accessible by the Administrator or
currently logged in user who owns the cookie. However, under Windows 9X/ME
it is world accessible.
Clearly, using the unencrypted cookie is an authentication weakness,
because this cookie can be read by a third party who is currently sniffing
the network ('Man in the Middle Attack'). Also, the PC-To-Phone client
stores the userid and password as clear text in temp.html under the
program files directory, and also transports this information in clear
text which also leads to a possible Man in the Middle attack.
Many attack scenarios can be developed here, such as cookie session
hijacking, etc.
Solution:
The vendor has been informed and is expected to provide a secure
authentication infrastructure. Note that in general, cookies which contain
sensitive information must be encrypted with a strong algorithm.
ADDITIONAL INFORMATION
The information has been provided by <mailto:egemen@btkom.com> Egemen
Tas.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Multiple Vulnerabilities in lpd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
