[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2014-5516 CSRF protection bypass in "KonaKart" Java eCommerce product



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2014-5516
===================
"Cross-Site Request Forgery (CSRF) protection bypass" (CWE-352) vulnerability 
in "KonaKart Storefront Application" Enterprise Java eCommerce product


Vendor
===================
DS Data Systems (UK) Ltd.


Product
===================
"KonaKart is an affordable java based shopping cart software solution for online retailers. 
Let KonaKart help increase your eCommerce sales."
 - source: http://www.konakart.com

"KonaKart is a Java eCommerce system aimed at medium to large online retailers."
 - source: https://en.wikipedia.org/wiki/KonaKart


Affected versions
===================
This vulnerability affects versions of KonaKart Storefront Application prior to 7.3.0.0


Patch
===================
The vendor has released a XSRF fix as part of version 7.3.0.0 at
http://www.konakart.com/downloads/ver-7-3-0-0-whats-new


Reported by
===================
This issue was reported to the vendor by Christian Schneider (@cschneider4711) 
following a responsible disclosure process.


Severity
===================
Medium


Description
===================
The existing CSRF protection token was checked for every POST request
properly. When modifying the request from POST method to GET method 
all state-changing actions worked as well, but the CSRF token protection 
was no longer enforced, allowing CSRF attacks.


Escalation potential
====================
Exploitation demonstration was responsibly provided along with the vulnerability 
report to the vendor, which changed a victim's mail address (using the CSRF 
protection bypass) to an attacker-supplied mail address, allowing a successful 
reset of victim's account password by the attacker.


Timeline
===================
2014-05-02        Vulnerability discovered
2014-05-02        Vulnerability responsibly reported to vendor
2014-05-02        Reply from vendor acknowledging report
2014-??-??        Vendor released patch as part of version 7.3.0.0
2014-09-20        Advisory published via BugTraq


References
===================
http://www.konakart.com/downloads/ver-7-3-0-0-whats-new
http://www.christian-schneider.net/advisories/CVE-2014-5516.txt



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAlQd69cACgkQXYAsOfddvFOTVACgr/f5+x5kf60t5LaCqhH0pvSY
QYoAnjiI0WSa3iGuw/OfXk3/vLV+liFm
=61mn
-----END PGP SIGNATURE-----