Public Vulnerability Reports

Datalex BookIt! Consumer password vulnerabilities

06.10.02

BACKGROUND

Datalex Inc.'s BookIt! Consumer is a full-featured Internet booking engine that enables consumers to make travel reservations via the Internet. With BookIt! Consumer, travel enterprises and resellers can develop web-based applications that integrate travel booking, content and relationship management systems. More information about it is
available at http://www.datalex.com/products_consumer.asp.

DESCRIPTION

BookIt! Consumer stores and transmits passwords in clear text. Specifically, the following two vulnerabilities exist:

Vulnerability 1

When generating or updating a profile, the user is presented with the following three options:

Save User ID to this computer?
Save User ID and Password to this computer?
Don't Save User ID and Password to this computer.

If either of the first two options are selected, the user ID and/or password are stored in a cookie in clear text. The cookie uses the following format:

bookituserid1055
user_ID
powered.gohop.com/JBookIt
1536
3759767808
29567477
812114976
29494044

bookitpassword1055
password
powered.gohop.com/JBookIt
1536
3759767808
29567477
812274976
29494044

As seen above, the user ID and password are clearly visible. It should be noted that tickets.amtrak.com uses "Save Amtrak User ID and Password to this computer?" as its default setting.

Vulnerability 2

When updating a profile, certain web sites (e.g. tickets.amtrak.com) pass all form variables, including passwords, using the GET method. The following web sites contain the aforementioned vulnerabilities:

http://powered.gohop.com/backpacker/home.htm
http://tickets.amtrak.com

ANALYSIS

Storing authentication credentials in cookies is not a good idea, as cookies can be stolen through cross-site scripting attacks or local access to the hard drive. Once cookies have been stolen, an attacker can gain access to the vulnerable site and masquerade as a legitimate user. This vulnerability is enhanced when authentication credentials are stored in clear text. In this situation, the username and password can be obtained merely by viewing the cookie contents. Passing sensitive variables such as passwords in the URL using the GET method may expose the authentication credentials to attackers. URLs
may be stored in proxy or web server log files. Anyone that has access to the logs will be able to view the user's credentials in clear text.

DETECTION

All versions of Datalex Bookit! Consumer before version 2.2 are vulnerable.

WORKAROUND

Use the "Don't Save User ID and Password to this computer" option when creating or updating user profiles. This should prevent authentication credentials from being stored within cookies in clear text. Reconfiguring the web server to pass form variables using the POST method could prevent the second vulnerability.

VENDOR RESPONSE

According to Jim Peters of Datalex, version 2.2 and later encrypts passwords using the Tiny Encryption Algorithm prior to storing them in a cookie. The latest version available is 2.4. More information about upgrading is available by contacting Datalex via information at http://www.datalex.com/company_contact.asp.

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project did not assign an identification number for this issue.

CREDIT

Michael Sutton (msutton@idefense.com) was credited with discovering this vulnerability.