Datalex BookIt! Consumer Password Vulnerabilities

[alias () securityfocus com]

iDEFENSE Security Advisory 06.10.2002

Datalex BookIt! Consumer Password Vulnerabilities

DESCRIPTION

Datalex PLC's BookIt! Consumer stores and transmits passwords in clear text. BookIt! is a suite of travel booking 
products that allows airlines, travel agencies and other travel enterprises to sell travel reservations via a web based 
portal. BookIt! is used by many corporations including Amtrak, as noted on their company website 
(http://www.datalex.com/company_clients.asp).

By default, BookIt! Consumer does not handle passwords securely. Specifically, the following two vulnerabilities exist:

1. When generating or updating a profile, the user is presented with the following three options:

* Save User ID to this computer?
* Save User ID and Password to this computer?
* Don't Save User ID and Password to this computer.

If either of the first two options are selected, the user ID and/or password are stored in a cookie in clear text. The 
cookie uses the following format:

bookituserid1055
user_ID
powered.gohop.com/JBookIt
1536
3759767808
29567477
812114976
29494044
*
bookitpassword1055
password
powered.gohop.com/JBookIt
1536
3759767808
29567477
812274976
29494044


As seen above, the user ID and password are clearly visible. It should be noted that tickets.amtrak.com uses "Save 
Amtrak User ID and Password to this computer?" as its default setting.

2. When updating a profile, certain sites (e.g. tickets.amtrak.com) pass all form variables, including passwords using 
the GET method.

The following web sites contain the aforementioned vulnerabilities:

* http://powered.gohop.com/backpacker/home.htm
* http://tickets.amtrak.com

SOURCES

Datalex, http://www.datalex.com, June 3, 2002
Jim Peters, Jim.Peters () datalex com, June 3-5, 2002

ANALYSIS

Storing authentication credentials in cookies is never a good idea as cookies can be stolen through cross-site 
scripting attacks or local access to the hard drive. Once cookies have been stolen, an attacker can gain access to the 
vulnerable site and masquerade as a legitimate user. This vulnerability is enhanced when authentication credentials are 
stored in clear text. In this situation the username and password can be obtained merely by viewing the cookie contents.

Passing sensitive variables such as passwords in the URL using the GET method may expose the authentication credentials 
to attackers. URLs may be stored in proxy or web server log files. Anyone that has access to the logs will be able to 
view the user's credentials in clear text.

VENDOR RESPONSE

Datalex Bookit! Consumer prior to version 2.2 is vulnerable. According to Datalex, version 2.2 and above encrypt 
passwords using the Tiny Encryption Algorithm prior to storing them in a cookies.

WORKAROUND

Users can prevent having authentication credentials stored within cookies in clear text by using the "Don't Save User 
ID and Password to this computer" option when creating or updating user profiles. Reconfiguring the web server to pass 
form variables using the POST method could prevent the second vulnerability.

VENDOR FIX

Upgrade to Bookit! Consumer version 2.2 by contacting Datalex.


Michael Sutton, CISA 
Senior Security Engineer 
iDEFENSE Labs
14151 Newbrook Drive, Suite 100
Chantilly, VA 20151
direct: 703.344.2628
voice: 703.961.1070
fax: 703.961.1071

msutton () idefense com 
www.idefense.com