[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Spree e-commerce JSON Hijacking Vulnerabilities - CVE-2010-3978

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Spree e-commerce JSON Hijacking Vulnerabilities - CVE-2010-3978
From: Rodrigo Branco <rbranco@xxxxxxxxxxxxxx>
Date: Mon, 8 Nov 2010 06:53:16 -0800

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to 
publish the following vulnerability.



Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Spree e-commerce JSON Hijacking Vulnerabilities
CVE-2010-3978


INTRODUCTION


Spree e-commerce is an open source commerce platform written for the Ruby on 
Rails framework supporting "Over 100 extensions created by our active and 
dedicated community".

This problem was confirmed in the following versions of the Spree e-commerce, 
other versions maybe also affected.

All 0.11.x versions
The upcoming code 0.30.x versions


CVSS Scoring System

The CVSS score is: 2.7
        Base Score: 3.3
        Temporal Score: 2.7
We used the following values to calculate the scores:
        Base score is: AV:N/AC:L/Au:N/C:C/I:N/A:N
        Temporal score is: E:F/RL:OF/RC:C


DETAILS

There are multiple JSON Hijacking vulnerabilities and as result, an attacker 
can steal confidential information such as: product costs, price and quantities 
and users email, encrypted password, tokens, OpenID identifier, phone and 
address as well as orders count and values by period.

There are some pages within the default Spree installation that use JavaScript 
Object Notation (JSON) as a transport mechanism between the client and the 
server. As the application cannot differentiate real requests from forged 
requests, and the JSON object returned can be accessed by the attacker's 
malicious code via a script tag, those pages are vulnerable to an attack known 
as JSON Hijacking.

The affected pages are:
        - /admin/products.json
        - /admin/users.json
        - /admin/overview/get_report_data

Proof of concept exploitation code is available to interested parties.

        

CREDITS

This vulnerability has been brought to our attention by Gabriel Quadros from 
Conviso IT Security company (http://www.conviso.com.br) and researched 
internally by Rodrigo Rubira Branco from the Check Point Vulnerability 
Discovery Team (VDT).





--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
http://www.checkpoint.com/defense

Prev by Date: some ooold Juniper bugs (was: [Full-disclosure] ZDI-10-231: Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerability)
Next by Date: Seo Panel 2.1.0 - Critical File Disclosure
Previous by thread: some ooold Juniper bugs (was: [Full-disclosure] ZDI-10-231: Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerability)
Next by thread: Seo Panel 2.1.0 - Critical File Disclosure
Index(es):
- Date
- Thread