SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   BookIt! Consumer Vendors:   Datalex
Datalex BookIt! Consumer Discloses a User's Password to Local or Remote Users
SecurityTracker Alert ID:  1004502
SecurityTracker URL:  http://securitytracker.com/id/1004502
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 10 2002
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 2.2
Description:   A vulnerability was been reported in Datalex's BookIt! Consumer travel system software. A remote user may be able to view a user's password.

iDEFENSE issued a security advisory warning that BookIt! stores passwords on a user's computer and transmits passwords in clear text. When a remote user generates or updates a profile, and if the user selects the "Save User ID to this computer" or "Save User ID and Password to this computer", then the user ID and/or password will be stored in clear text within a cookie on the user's browser.

The cookie format is provided:

bookituserid1055
user_ID
[host]/JBookIt
1536
3759767808
29567477
812114976
29494044
*
bookitpassword1055
password
[host]/JBookIt
1536
3759767808
29567477
812274976
29494044

According to the report, when a remote user updates their profile, some web sites will pass all form variables, including passwords, using the GET method.

The user's password may be obtained via several methods. A local user may obtain the cookie from the cookie file. A remote user may obtain the cookie from a web proxy (if one is used) or may sniff the network to view the password during transit.

Impact:   A local or remote user could obtain a user's password.
Solution:   The vendor has issued a fixed version (2.2). This version (and later versions) reportedly encrypts the passwords using the Tiny Encryption Algorithm before storing them as cookies.
Vendor URL:  www.datalex.com/products_consumer.asp (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  Datalex BookIt! Consumer Password Vulnerabilities


iDEFENSE Security Advisory 06.10.2002

Datalex BookIt! Consumer Password Vulnerabilities

DESCRIPTION

Datalex PLC's BookIt! Consumer stores and transmits passwords in clear text. BookIt! is a suite of travel booking products that allows
 airlines, travel agencies and other travel enterprises to sell travel reservations via a web based portal. BookIt! is used by many
 corporations including Amtrak, as noted on their company website (http://www.datalex.com/company_clients.asp).

By default, BookIt! Consumer does not handle passwords securely. Specifically, the following two vulnerabilities exist:

1. When generating or updating a profile, the user is presented with the following three options:

* Save User ID to this computer?
* Save User ID and Password to this computer?
* Don't Save User ID and Password to this computer.

If either of the first two options are selected, the user ID and/or password are stored in a cookie in clear text. The cookie uses
 the following format:

bookituserid1055
user_ID
powered.gohop.com/JBookIt
1536
3759767808
29567477
812114976
29494044
*
bookitpassword1055
password
powered.gohop.com/JBookIt
1536
3759767808
29567477
812274976
29494044


As seen above, the user ID and password are clearly visible. It should be noted that tickets.amtrak.com uses "Save Amtrak User ID
 and Password to this computer?" as its default setting.

2. When updating a profile, certain sites (e.g. tickets.amtrak.com) pass all form variables, including passwords using the GET method.

The following web sites contain the aforementioned vulnerabilities:

* http://powered.gohop.com/backpacker/home.htm
* http://tickets.amtrak.com

SOURCES

Datalex, http://www.datalex.com, June 3, 2002
Jim Peters, Jim.Peters@datalex.com, June 3-5, 2002

ANALYSIS

Storing authentication credentials in cookies is never a good idea as cookies can be stolen through cross-site scripting attacks or
 local access to the hard drive. Once cookies have been stolen, an attacker can gain access to the vulnerable site and masquerade
 as a legitimate user. This vulnerability is enhanced when authentication credentials are stored in clear text. In this situation
 the username and password can be obtained merely by viewing the cookie contents.

Passing sensitive variables such as passwords in the URL using the GET method may expose the authentication credentials to attackers.
 URLs may be stored in proxy or web server log files. Anyone that has access to the logs will be able to view the user's credentials
 in clear text.

VENDOR RESPONSE

Datalex Bookit! Consumer prior to version 2.2 is vulnerable. According to Datalex, version 2.2 and above encrypt passwords using the
 Tiny Encryption Algorithm prior to storing them in a cookies.

WORKAROUND

Users can prevent having authentication credentials stored within cookies in clear text by using the "Don't Save User ID and Password
 to this computer" option when creating or updating user profiles. Reconfiguring the web server to pass form variables using the POST
 method could prevent the second vulnerability.

VENDOR FIX

Upgrade to Bookit! Consumer version 2.2 by contacting Datalex.


Michael Sutton, CISA 
Senior Security Engineer 
iDEFENSE Labs
14151 Newbrook Drive, Suite 100
Chantilly, VA 20151
direct: 703.344.2628
voice: 703.961.1070
fax: 703.961.1071

msutton@idefense.com 
www.idefense.com 



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC