SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Web Crossing (WebX) Vendors:   Web Crossing, Inc.
Web Crossing Discussion and Chat Software Uses Weak Session Authentication That Allows Remote Users to Hijack User Sessions
SecurityTracker Alert ID:  1002667
SecurityTracker URL:  http://securitytracker.com/id/1002667
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 31 2001
Impact:   Disclosure of authentication information, User access via network
Exploit Included:  Yes  
Version(s): apparently all versions may be affected
Description:   A session authentication vulnerability was reported in Web Crossing's community bulletin board application (WebX). Inadequate session authentication allows remote users to hijack sessions and take actions on behalf of the hijacked user.

It is reported that Web Crossing uses URL-based session authentication tokens. As a result, when a bulletin board message contains a link to another web site (such as an image on another site), the user's browser will disclose the URL-based authentication information via the HTTP Referrer field. This allows a remote user to determine the necessary authentication information to hijack the user's session.

Impact:   A remote user can hijack a user session and take any actions that the user can perform, including viewing and posting messages, changing preferences, and deleting the user account.
Solution:   No solution was available at the time of this entry.
Vendor URL:  webcrossing.com/WebX/Home/products (Links to External Site)
Cause:   Authentication error
Underlying OS:   Linux (Any), MacOS, UNIX (Any), Windows (NT), Windows (95), Windows (98)

Message History:   None.


 Source Message Contents

Date:  Tue, 30 Oct 2001 11:42:17 -0800 (PST)
Subject:  Web Forum Account Hijacking Vuln.




:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
 Unique Referers Combined With Lack Of Robust User Authentication
              Leaves User Accounts Open For Hijacking              
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

	Sierra Community Use of HTTP GET with User Authentication:
Unique HTTP_REFERER environment data provides account login and ID,
rendering user accounts open to hijack.


::::::::::
 Affected
::::::::::

Known:
	http://community.sierra.com/


::::::::::
 Abstract
::::::::::

	It was noticed on October 17, 2001 that on that same day 
a member of Sierra On-Line's (http://www.sierra.com) web-based community 
(http://community.sierra.com/) had apparently found an interesting image
on our site (http://www.reznor.com/) and had posted a link to the image
in a forum.

	This was evident by the noticable increase in http traffic 
requesting the image in question.  The interesting part of this, tho,
is that each request had a different http referering field.  All fields
started with the base of "http://community.sierra.com/WebX?" which was 
followed a series of 5 or 6 numbers which had an @ interspersed within,
a decimal, eleven mixed-case alphanumberic characters, a carat (^),
5 or 6 numerals, an @ followed by a decimal point, and the string
"ef35920" which appeared to be a thread identifier.

	Examples[1]:
"http://community.sierra.com/WebX?14@231.uMQSa6Ygt25^72082@.ef35920"
"http://community.sierra.com/WebX?14@251.6vvMaantubt^376799@.ef35920"
"http://community.sierra.com/WebX?230@53.SsOPaaIVudE^0@.ef35920"
|-------Referring Host------|---v---|-------User ID--------|---v---|
                                |                              |
                                |                              |
                             Server                         Thread
                             ID ?                           ID


	It is unclear if the trailing numerals in the "Server ID" above
are an actual server identifier, or part of the "User ID" string.

	While we did not try craft unique "User ID" strings, it was noticed
that there is a definite correlation between the User ID as it appears
in the http referer field and the URL in the browser's "location bar" when
a user is editing their preferences.  Shouldn't be too hard to figure 
out. ;)


:::::::::::::
 Particulars
:::::::::::::

	What was found was that copying any one of these unique referers
and pasting it into a web browser would not just show you the forum page
that the link was posted in (along with user comments) but that you were
essentially logged in as the user that had clicked on the http link and
generated the http log entry.

	From this point, site access was granted as the user.  One could
post messages in forums as the user, view and change preferences, including 
the .sig, icons or images the user associates with himself when posting, 
subscription informations, and one would also have access to the nifty little 
"delete my account" button.

	Uncool.

	Per RFP's Disclosure Policy v2.0, mail was sent to:
	o  support@sierra.com
	o  security-alert@sierra.com
	o  secure@sierra.com
	o  security@sierra.com
	o  info@sierra.com
at 15:57 PST on October 17, 2001.  support@sierra.com sent an auto-
reply, telling me I should "expect a response from (them) within 48
hours."  Aside from automated agents, no response has been received as of
this writing (October 29, 2001, 14:40 PST).

	According to http://www.netcraft.com/ Sierra's community runs 
on a Web Crossing 4.0 server on Solaris.  Comments inside the html reveal:

   Page produced by Web Crossing(r) Unix-v4.0 built Sep 18 2001 
   (http://webcrossing.com/) for HavasInteractive

   User interface (c)Copyright 1995-2001 by Web Crossing, Inc. All rights reserved.


::::::::::
 Severity
::::::::::

	It would be trivial for anyone to create an account on
http://community.sierra.com/ and post a message with a link to an offsite
image or page on which the person has read access to the web server logs
and view the unique referers, and use them to log in and wreak overall
havok on the communities that Sierra provides for their users.

	The actual severity of this situation is dependant of course on how 
much Sierra values the disposition of their userbase and how badly they care
to protect their user's accounts.


:::::::::::::::::::::::
 Solution / Workaround
:::::::::::::::::::::::

	This problem would be resolved if Sierra Community utilized the HTTP
POST method for user authentication.  Then the HTTP_REFERER environment
variable would contain no useful account information.


:::::
 411
:::::

	Sierra is:
	o  Sierra On-Line, Inc., 3060 139th Ave SE #500, Bellevue, WA 98005 U.S.A.

	Web Crossing is:
	o  Web Crossing, Inc., US Sales Phone: 916.314.3100 (California)

	I am:
	o  aj reznor, aj@reznor.com


::::::::
 Thanks
::::::::

	I'd like to take a moment to thank the following:
	o  Jay Dyson (http://www.treachery.net/), for technical and
	   presentation input.
	o  Karin, for always forcing me to challenge myself, and
	   everything else.
	o  SecurityFocus.com, for keeping the dataflow alive.
	o  Ryan Russell @ Security Focus.
	o  WK and the ISN list for giving me a forum to point out just how
	   inadequate the media really is.  Or call it "putting up wit me."
	o  Sierra, for never responding ;)


:::::::
 NOTES
:::::::
	[1] URLs have been *slightly* obfuscated to protect the unknowning.




-aj.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC