Datalex Inc.'s BookIt! Consumer is a full-featured Internet booking engine that enables consumers to make travel reservations via the Internet. With BookIt! Consumer, travel enterprises and resellers can develop web-based applications that integrate travel booking, content and relationship management systems. More information about it is
available at http://www.datalex.com/products_consumer.asp.
BookIt! Consumer stores and transmits passwords in clear text. Specifically, the following two vulnerabilities exist:
When generating or updating a profile, the user is presented with the following three options:
Save User ID to this computer?
Save User ID and Password to this computer?
Don't Save User ID and Password to this computer.
If either of the first two options are selected, the user ID and/or password are stored in a cookie in clear text. The cookie uses the following format:
As seen above, the user ID and password are clearly visible. It should be noted that tickets.amtrak.com uses "Save Amtrak User ID and Password to this computer?" as its default setting.
When updating a profile, certain web sites (e.g. tickets.amtrak.com) pass all form variables, including passwords, using the GET method. The following web sites contain the aforementioned vulnerabilities:
Storing authentication credentials in cookies is not a good idea, as cookies can be stolen through cross-site scripting attacks or local access to the hard drive. Once cookies have been stolen, an attacker can gain access to the vulnerable site and masquerade as a legitimate user. This vulnerability is enhanced when authentication credentials are stored in clear text. In this situation, the username and password can be obtained merely by viewing the cookie contents. Passing sensitive variables such as passwords in the URL using the GET method may expose the authentication credentials to attackers. URLs
may be stored in proxy or web server log files. Anyone that has access to the logs will be able to view the user's credentials in clear text.
All versions of Datalex Bookit! Consumer before version 2.2 are vulnerable.
Use the "Don't Save User ID and Password to this computer" option when creating or updating user profiles. This should prevent authentication credentials from being stored within cookies in clear text. Reconfiguring the web server to pass form variables using the POST method could prevent the second vulnerability.
According to Jim Peters of Datalex, version 2.2 and later encrypts passwords using the Tiny Encryption Algorithm prior to storing them in a cookie. The latest version available is 2.4. More information about upgrading is available by contacting Datalex via information at http://www.datalex.com/company_contact.asp.
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project did not assign an identification number for this issue.
Michael Sutton (email@example.com) was credited with discovering this vulnerability.