[NEWS] Datalex BookIt! Consumer Password Vulnerabilities

From: support@securiteam.com
Date: 06/11/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 11 Jun 2002 08:00:41 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Datalex BookIt! Consumer Password Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://www.datalex.com/products.asp> Datalex PLC's BookIt! Consumer
stores and transmits passwords in clear text. Datalex PLC's BookIt! is a
suite of travel booking products that allow airlines, travel agencies and
other travel enterprises to sell travel reservations via a web based
portal. By default, BookIt! Consumer does not handle passwords securely,
but rather transmits them in clear text.

DETAILS

Vulnerable systems:
Datalex BookIt! Consumer versions prior to 2.2

Immune systems:
Datalex BookIt! Consumer version 2.2

Profile generation:
1. When generating or updating a profile, the user is presented with the
following three options:
 * Save User ID to this computer?
 * Save User ID and Password to this computer?
 * Don't Save User ID and Password to this computer.

If either of the first two options is selected, the user ID and/or
password are stored in a cookie in clear text. The cookie uses the
following format:
bookituserid1055
user_ID
powered.gohop.com/JBookIt
1536
3759767808
29567477
812114976
29494044
*
bookitpassword1055
password
powered.gohop.com/JBookIt
1536
3759767808
29567477
812274976
29494044

As seen above, the user ID and password are clearly visible. It should be
noted that tickets.amtrak.com uses "Save Amtrak User ID and Password to
this computer?" as its default setting.

Profile updating
2. When updating a profile, certain sites (e.g. tickets.amtrak.com) pass
all form variables, including passwords using the GET method.

The following web sites contain the aforementioned vulnerabilities:
 * <http://powered.gohop.com/backpacker/home.htm>
http://powered.gohop.com/backpacker/home.htm
 * <http://tickets.amtrak.com> http://tickets.amtrak.com

Analysis:
Storing authentication credentials in cookies is never a good idea as
cookies can be stolen through cross-site scripting attacks or local access
to the hard drive. Once cookies have been stolen, an attacker can gain
access to the vulnerable site and masquerade as a legitimate user. This
vulnerability is enhanced when authentication credentials are stored in
clear text. In this situation the username and password can be obtained
merely by viewing the cookie contents.

Passing sensitive variables such as passwords in the URL using the GET
method may expose the authentication credentials to attackers. URLs may be
stored in proxy or web server log files. Anyone that has access to the
logs will be able to view the user's credentials in clear text.

Vendor response:
Datalex BookIt! Consumer prior to version 2.2 is vulnerable. According to
Datalex, version 2.2 and above encrypt passwords using the Tiny Encryption
Algorithm prior to storing them in cookies.

Workaround:
Users can prevent having authentication credentials stored within cookies
in clear text by using the "Don't Save User ID and Password to this
computer" option when creating or updating user profiles. Reconfiguring
the web server to pass form variables using the POST method could prevent
the second vulnerability.

Vendor fix:
Upgrade to BookIt! Consumer version 2.2 by contacting Datalex.

ADDITIONAL INFORMATION

The information has been provided by <mailto:msutton@idefense.com>
Michael Sutton.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: How do we get there from here?
    ... I can't tell you how often I try to do something on a web site and finally ... figure out I have cookies turned off...then have to open up my browser to ... Will it contain tokens that will be replaced by ... >>> both tokenized, so the content in them is session driven by cookies, ...
    (comp.databases.pick)
  • Re: How do we get there from here?
    ... > figure out I have cookies turned off...then have to open up my browser to ... If 10% of the potential shoppers can't view the web site at all, ... CSS is currently tested only under IE6 and the latest FF: ...
    (comp.databases.pick)
  • RE: IE6 Privacy and Secure Web Site
    ... all cookies from a specific web site or domain, ... to authorize cookies from that secure web site, ... > prompted for logon and password. ...
    (Focus-Microsoft)
  • Re: Zone Alarm 3.0 Some Bad News for web sites !
    ... I would be perfectly fine with the automatic blocking of cookies. ... What is the point of a web site if no one can find you? ... is dependant on visitors whether a personal, public service or a business ... there is some privacy issue here, ...
    (comp.security.firewalls)
  • Re: Your browsers cookie functionality is turned off. Please turn it on.
    ... I change the privacy setting to Accept All Cookies; ... to gmail web site. ... The weird thing is that it happens only for gmail ... > Error Message: Not Accepting Cookies ...
    (microsoft.public.windows.inetexplorer.ie6.browser)