Subject:      [Security] Spoofed Id in Bluestone Sapphire/Web
To: BUGTRAQ@SECURITYFOCUS.COM 


 INTRINsec Security Advisory



Release Date    : September 02, 1999
Software        : Bluestone Sapphire/Web V5
Operating System: Solaris
Impact          : The attacker can access the session of other connected clients.
Author          : Gerald.Grevrend@INTRINsec.com
Status          : Bluestone is advised from this.
URLs            : http://www.INTRINsec.com



__ Diggest __


Sapphire/Web is a framework for iCommerce platforms. This product has a
security flaw in its authentication scheme that allows an attacker
to easily usurpate the identity of the currently connected clients.


Bluestone is advised from this and wont correct this bug.



__ Technical Details and Exploits __


To authenticate its clients, Sapphire/Web uses an id stored in a session
cookie as authentication scheme. After you have sent your login/password,
Sapphire/Web sends you back a session cookie containing your id for this
session.
There are two flaws in their id authentication scheme :
   - the id is higly predictable : it is a counter incremented one by one,
so given your id, it is easy to guess the id of people connected just before
you.
   - the id longs all your session : it isn't renewed at each http request,
so you are sure that if the session hasn't been disconnected, its id is
valid.


All the attacker has to do is to connect to Sapphire/Web server with a valid
login/password and note its id. Then he can make a request with a decreased
id in its cookie.
With some luck, he will access the session of another client.


__ Solutions __


Bluestone doesn't provide a patch for this problem. You have to upgrade your
software to the new version (V6.X) that allows you to use your own
authentication scheme.


__ Contacts __



 -- Bluestone Software --
 Support Services
 1000 Briggs Road
 Mount Laurel, New Jersey 08054-4101
 Phone: 856.778.7900
 Fax: 856.234.2877
 support@bluestone.com
 http://www.bluestone.com



 -- INTRINsec --


 INTRINsec is a French Security Specialist.
 http://www.INTRINsec.com
 This advisory is available in french.
 Cet avis est disponible en francais sur notre site.



__ DISCLAMERS __



INTRINsec DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, AND PROVIDED
THESES INFORMATIONS "AS IS" WITHOUT WARRANTY OF ANY KIND. INTRINsec IS NOT
LIABLE FOR ANY DAMAGES WHATSOEVER EVEN IF INTRINsec HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.


--
Gerald Grevrend : Securite Informatique
http://www.INTRINsec.com