COMMAND

    Bluestone Sapphire/Web V5

SYSTEMS AFFECTED

    Solaris

PROBLEM

    Following  is  based  on  INTRINsec  Security  Advisory  by Gerald
    Grevrend.   Sapphire/Web is  a framework  for iCommerce platforms.
    This  product  has  a  security  flaw in its authentication scheme
    that allows  an attacker  to easily  usurpate the  identity of the
    currently connected clients.

    To authenticate its clients, Sapphire/Web  uses an id stored in  a
    session cookie as authentication scheme.  After you have sent your
    login/password,  Sapphire/Web  sends  you  back  a  session cookie
    containing your id for this session.  There are two flaws in their
    id authentication scheme:

    - the id is higly predictable : it is a counter incremented one by
      one, so  given your  id, it  is easy  to guess  the id of people
      connected just before you.
    - the id longs  all your session :  it isn't renewed at  each http
      request,  so  you  are  sure  that  if  the  session hasn't been
      disconnected, its id is valid.

    All the attacker  has to do  is to connect  to Sapphire/Web server
    with a valid login/password and note  its id.  Then he can  make a
    request with a  decreased id in  its cookie.   With some luck,  he
    will access the session of another client.

SOLUTION

    Bluestone doesn't provide a patch  for this problem.  You  have to
    upgrade your software  to the new  version (V6.X) that  allows you
    to use your own authentication scheme.