Академический Документы
Профессиональный Документы
Культура Документы
Headquarters
Rua Marechal Hermes 678 CJ 32
CEP 80530-230, Curitiba, PR
T (41) 3095.5736 | (41) 3095.3986
http://www.conviso.com.br
Conviso IT Security
Introduction
This advisory has been discovered as part of a general investigation into the security of software used
in the IT environments of our customers. For more information about our company and services
provided, please check our website at www.conviso.com.br.
The vulnerability described in this security advisory was discovered by Gabriel Quadros on October 1st
2010 during a internal security research.
Security Advisory
1. Issue Description
This advisory describes multiple JSON Hijacking vulnerabilities on Spree e-commerce v0.11.0, an
open source commerce platform written for the Ruby on Rails framework. As a result, an attacker can
use this flaw to steal confidential information such as: products' cost price and quantity; users' email,
encrypted password, tokens, OpenID identifier, phone and address; orders' count and value by period.
2. Affected Components
The vulnerability was identified on the latest stable version of Spree e-commerce, v0.11.0. The
product’s web page is located at http://spreecommerce.com. Prior versions may also be affected.
3. Details
There are some pages within the default Spree installation that use JavaScript Object Notation (JSON)
as a transport mechanism between the client and the server. As the application cannot differentiate
real requests to these pages from forged requests, and the JSON object returned can be accessed by
the attacker's malicious code via a script tag, these pages are vulnerable to an attack known as JSON
Hijacking.
• /admin/products.json
• /admin/users.json
• /admin/overview/get_report_data
To exploit this vulnerability, an attacker should use a small amount of social engineering to trick the
administrator user in visiting a malicious page. Once that happens, the malicious code makes a
request to the affected page to retrieve a JSON object containing the desired information. If the
administrator user is logged in, his cookie is sent along with the request and the page returns the
JSON object. The following exploits show how to hijack the information from two of the affected pages
if the administrator user uses the Google Chrome browser.
4. Issue Mitigation
Upgrade to the version 0.11.2 release
5. Additional Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-3978 to
this issue.
Conviso IT Security calculated the scores of this vulnerability using the online CVSS calculator found at
http://www.patchadvisor.com/PatchAdvisor/CVSSCalculator.aspx and described at http://
www.first.org/cvss/cvss-guide.pdf.
Issue History
Date Comments
11/02/10 Spree published the issue and new available release at http://spreecommerce.com/
blog/2010/11/02/json-hijacking-vulnerability/.
11/13/10 Security Advisory published on Conviso IT Security web site and relevant discussion
lists and forums on the Internet.