Events
-
PCI DSS User Group meeting
Neira Jones will be speaking on Barclaycards current approach to PCI and offering advice and guidance to merchants.
Click here to see more events.
Vulnerabilities 2009
PR08-17 Broadvision CMS vulnerable to session fixation and disclosure of session IDs (DRAFT)
- Advisory publicly released: Monday, 7 September 2009
- Vulnerability found: Wednesday, 2 July 2008
- Vendor informed: Tuesday, 8 July 2008
-
Credits
Adrian Pastor of ProCheckUp Ltd. (www.procheckup.com) -
Description
http://www.broadvision.com
Provided that an attacker can set a session ID for the target domain on the victim's browser, the target application will take the newly-set session ID as valid. Once the victim user logs in, the session ID set by the attacker is now considered active by the application.
At this point, the attacker can go to the target site using the same session ID that was set on the victim user's session and hijack his/her account.
There are several ways attackers can set cookie-based session IDs to the victim user's session:
- by launching a XSS (cross-site scripting) attack against the target domain which uses the 'document.cookie' object
- by launching a HTML injection attack against the target domain which uses the '<META>' tag and 'Set-Cookie' attribute
- by launching a CRLF injection attack that tricks the target site to return a 'Set-Cookie:' HTTP response header
Additionally, Broadvision CMS submits session IDs within URLs which is known to be bad practice for several reasons.
Since session IDs travel in URLs they can be saved in the web browser's history. Not only can session IDs be potentially stolen from the browser history but also from proxy logs (provided that website visitors connect through a proxy) and 'Referer' headers.
If the target site submits visitors behaviour to a third-party company for tracking purposes (i.e.: Omniture), session IDs would also be submitted to such company. As a company using Broadvision CMS on a e-commerce environment you should ask yourself the following question: Do I trust my web analytics service provider enough to give them full access to all users' session IDs? -
Proof of concept
BEFORE LOGGING IN
In cookies:
BV_IDS=ccdfadeeigdmjgicflgceggdhhmdgml.0:@@@@0424248801.1215513337@@@@
In URLs:
BV_SessionID=@@@@0424248801.1215513337@@@@&BV_EngineID=ccdfadeeigdmjgicflgceggdhhmdgml.0
AFTER LOGGING IN
In cookie:
BV_IDS=ccdfadeeigdmjgicflgceggdhhmdgml.0:@@@@0424248801.1215513337@@@@
In URLs:
BV_SessionID=@@@@0424248801.1215513337@@@@&BV_EngineID=ccdfadeeigdmjgicflgceggdhhmdgml.0
Note: syntax in cookies is [BV_EngineID]:[BV_SessionID] -
How to fix
The web application should only issue session IDs of newly generated sessions to users after they have successfully authenticated (as opposed to issuing them when visiting the site for the first time for instance).
This means that even if the attacker could set a session ID of his/her choice to the victim user's session, such session ID wouldn't be considered valid after the victim user logs into the application (a new session ID would be generated instead).
Restrict Session IDs to travel only in 'Cookie:' headers and never within URLs. -
Consequences
User sessions can be hijacked. -
Vendor Response
"Our Engineers have reviewed the vulnerability advisory, and do not consider this to be a security risk in that we work with our customers to ensure that the issues described do not lead to an actual security risk." -
References
ProCheckUp Vulnerabilities
http://www.procheckup.com/vulnerability_managerhttp://www.broadvision.com/
http://www.broadvision.com/http://en.wikipedia.org/wiki/Session_fixation
http://en.wikipedia.org/wiki/Session_fixationhttp://www.owasp.org/index.php/Session_Fixation
http://www.owasp.org/index.php/Session_Fixation
-
Legal
Copyright 2008 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.