KGB Vulnerability Advisory 20060903-4

Title: Universal Business Supply Authentication Credentials Stored in Cookie
Date: 03 September 2006
Author: Particle Bored

Vulnerability Class:
Information Disclosure, Session Hijacking

Affected Systems:
http://www.universalbusinesssupply.com/

Overview:
Valid user name/password combinations are stored in clear text on the client PC.
An application session ID is also stored in the cookie.

Technical Details:
Valid user name/password combinations are stored in a cookie in clear text on
the client PC. An application session ID is also stored in the cookie.

Impact:
System Administrators, users of shared PCs and others with logical access to a
local hard drive can intercept valid name/password pairs. This is the only
information required to impersonate another user of the system.
If the web server is not adequately scrutinizing application session IDs it may
be possible to hijack a previous session based on the information stored in
the cookie.

Recommendations:
Do not store authentication information in a cookie. Do not trust any
client-supplied data including session IDs.

Discovered:
22 August 2006

Vendor Notified:
03 September 2006 (webmaster@universalbusinesssupply.com)

General Release:
22 October 2006 After no response from vendor

Public Disclosure:
In order to best serve the interests of all parties affected this advisory will
be made publicly available 30 days after the initial vendor notification.


Disclaimer:
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. The information contained
within this advisory is supplied "as-is" with no warranties or guarantees of
fitness of use or otherwise. Neither the author nor the publisher accepts any
liability for any direct, indirect, or consequential loss or damage arising
from use of, or reliance on, this information.


About KGB:
KGB is an independent vulnerability research organization based in the United
States. It provides the results of its research free of charge since that is
all most development companies are willing to pay for security and quality
assurance.


Copyright 2006 KGB.TO. All rights reserved.
Permission is hereby granted for the redistribution of this advisory
electronically. It is not to be edited in any way without express consent of
KGB.TO. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please email particle.bored@kgb.to
for permission.