Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Web Forum Account Hijacking Vuln.

From: Aj Effin Reznor <aj () reznor com>
Date: Tue, 30 Oct 2001 11:42:17 -0800 (PST)


:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
 Unique Referers Combined With Lack Of Robust User Authentication
              Leaves User Accounts Open For Hijacking              
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

        Sierra Community Use of HTTP GET with User Authentication:
Unique HTTP_REFERER environment data provides account login and ID,
rendering user accounts open to hijack.


::::::::::
 Affected
::::::::::

Known:
        http://community.sierra.com/


::::::::::
 Abstract
::::::::::

        It was noticed on October 17, 2001 that on that same day 
a member of Sierra On-Line's (http://www.sierra.com) web-based community 
(http://community.sierra.com/) had apparently found an interesting image
on our site (http://www.reznor.com/) and had posted a link to the image
in a forum.

        This was evident by the noticable increase in http traffic 
requesting the image in question.  The interesting part of this, tho,
is that each request had a different http referering field.  All fields
started with the base of "http://community.sierra.com/WebX?"; which was 
followed a series of 5 or 6 numbers which had an @ interspersed within,
a decimal, eleven mixed-case alphanumberic characters, a carat (^),
5 or 6 numerals, an @ followed by a decimal point, and the string
"ef35920" which appeared to be a thread identifier.

        Examples[1]:
"http://community.sierra.com/WebX?14@231.uMQSa6Ygt25^72082@.ef35920";
"http://community.sierra.com/WebX?14@251.6vvMaantubt^376799@.ef35920";
"http://community.sierra.com/WebX?230@53.SsOPaaIVudE^0@.ef35920";
|-------Referring Host------|---v---|-------User ID--------|---v---|
                                |                              |
                                |                              |
                             Server                         Thread
                             ID ?                           ID


        It is unclear if the trailing numerals in the "Server ID" above
are an actual server identifier, or part of the "User ID" string.

        While we did not try craft unique "User ID" strings, it was noticed
that there is a definite correlation between the User ID as it appears
in the http referer field and the URL in the browser's "location bar" when
a user is editing their preferences.  Shouldn't be too hard to figure 
out. ;)


:::::::::::::
 Particulars
:::::::::::::

        What was found was that copying any one of these unique referers
and pasting it into a web browser would not just show you the forum page
that the link was posted in (along with user comments) but that you were
essentially logged in as the user that had clicked on the http link and
generated the http log entry.

        From this point, site access was granted as the user.  One could
post messages in forums as the user, view and change preferences, including 
the .sig, icons or images the user associates with himself when posting, 
subscription informations, and one would also have access to the nifty little 
"delete my account" button.

        Uncool.

        Per RFP's Disclosure Policy v2.0, mail was sent to:
        o  support () sierra com
        o  security-alert () sierra com
        o  secure () sierra com
        o  security () sierra com
        o  info () sierra com
at 15:57 PST on October 17, 2001.  support () sierra com sent an auto-
reply, telling me I should "expect a response from (them) within 48
hours."  Aside from automated agents, no response has been received as of
this writing (October 29, 2001, 14:40 PST).

        According to http://www.netcraft.com/ Sierra's community runs 
on a Web Crossing 4.0 server on Solaris.  Comments inside the html reveal:

   Page produced by Web Crossing(r) Unix-v4.0 built Sep 18 2001 
   (http://webcrossing.com/) for HavasInteractive

   User interface (c)Copyright 1995-2001 by Web Crossing, Inc. All rights reserved.


::::::::::
 Severity
::::::::::

        It would be trivial for anyone to create an account on
http://community.sierra.com/ and post a message with a link to an offsite
image or page on which the person has read access to the web server logs
and view the unique referers, and use them to log in and wreak overall
havok on the communities that Sierra provides for their users.

        The actual severity of this situation is dependant of course on how 
much Sierra values the disposition of their userbase and how badly they care
to protect their user's accounts.


:::::::::::::::::::::::
 Solution / Workaround
:::::::::::::::::::::::

        This problem would be resolved if Sierra Community utilized the HTTP
POST method for user authentication.  Then the HTTP_REFERER environment
variable would contain no useful account information.


:::::
 411
:::::

        Sierra is:
        o  Sierra On-Line, Inc., 3060 139th Ave SE #500, Bellevue, WA 98005 U.S.A.

        Web Crossing is:
        o  Web Crossing, Inc., US Sales Phone: 916.314.3100 (California)

        I am:
        o  aj reznor, aj () reznor com


::::::::
 Thanks
::::::::

        I'd like to take a moment to thank the following:
        o  Jay Dyson (http://www.treachery.net/), for technical and
           presentation input.
        o  Karin, for always forcing me to challenge myself, and
           everything else.
        o  SecurityFocus.com, for keeping the dataflow alive.
        o  Ryan Russell @ Security Focus.
        o  WK and the ISN list for giving me a forum to point out just how
           inadequate the media really is.  Or call it "putting up wit me."
        o  Sierra, for never responding ;)


:::::::
 NOTES
:::::::
        [1] URLs have been *slightly* obfuscated to protect the unknowning.




-aj.
Previous By Date Next
Previous By Thread Next

Current thread: