Security Advisory | CVE-2010-3978

Spree e-commerce JSON v.0.11x

Curitiba | Brasilia | São Paulo

Headquarters
Rua Marechal Hermes 678 CJ 32
CEP 80530-230, Curitiba, PR
T (41) 3095.5736 | (41) 3095.3986
http://www.conviso.com.br
 Conviso IT Security

Introduction

1. Copyright and Disclaimer

The information in this advisory is Copyright 2010 Conviso IT Security and provided so that the society
can understand the risk they may be facing by running affected software, hardware or other
components used on their systems. In case you wish to copy information from this advisory, you must
either copy all of it or refer to this document (including our URL). No guarantee is provided for the
accuracy of this information, or damage you may cause your systems in testing.

2. About Conviso IT Security

Founded on 2008 by a team of professionals working the IT Security market since 1997, Conviso IT
Security is a consulting company specialized on network and application security services. Our values
are based on the allocation of the adequate competencies on the field, a clear and direct speech with
the market, collaboration and partnership with our customers and business partners and constant
investments on methodology and research improvement.

This advisory has been discovered as part of a general investigation into the security of software used
in the IT environments of our customers. For more information about our company and services
provided, please check our website at www.conviso.com.br.

3. The Security Research

Conviso IT Security maintains a virtual team dedicated to explore our customer’s environments in order
to identify technical vulnerabilities in software and hardware, developing real-world mitigation solutions
and processes to maintain more secure environments. Leaded by Wagner Elias, our R&D Manager,
this team is named Conviso Security Labs and also contribute to important world-class organizations
projects and organizations.

The vulnerability described in this security advisory was discovered by Gabriel Quadros on October 1st
2010 during a internal security research.

Security Advisory | CVE-2010-3978 | Spree e-commerce JSON v.0.11x ! 1

 Conviso IT Security

Security Advisory

1. Issue Description
This advisory describes multiple JSON Hijacking vulnerabilities on Spree e-commerce v0.11.0, an
open source commerce platform written for the Ruby on Rails framework. As a result, an attacker can
use this flaw to steal confidential information such as: products' cost price and quantity; users' email,
encrypted password, tokens, OpenID identifier, phone and address; orders' count and value by period.

2. Affected Components
The vulnerability was identified on the latest stable version of Spree e-commerce, v0.11.0. The
product’s web page is located at http://spreecommerce.com. Prior versions may also be affected.

3. Details
There are some pages within the default Spree installation that use JavaScript Object Notation (JSON)
as a transport mechanism between the client and the server. As the application cannot differentiate
real requests to these pages from forged requests, and the JSON object returned can be accessed by
the attacker's malicious code via a script tag, these pages are vulnerable to an attack known as JSON
Hijacking.

The affected pages are:

• /admin/products.json

• /admin/users.json

• /admin/overview/get_report_data

To exploit this vulnerability, an attacker should use a small amount of social engineering to trick the
administrator user in visiting a malicious page. Once that happens, the malicious code makes a
request to the affected page to retrieve a JSON object containing the desired information. If the
administrator user is logged in, his cookie is sent along with the request and the page returns the
JSON object. The following exploits show how to hijack the information from two of the affected pages
if the administrator user uses the Google Chrome browser.

Proof of concept exploitation code is available to interested parties.

4. Issue Mitigation
Upgrade to the version 0.11.2 release

5. Additional Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-3978 to
this issue.

Security Advisory | CVE-2010-3978 | Spree e-commerce JSON v.0.11x ! 2

 Conviso IT Security

CVSS Issue Severity Scores

Conviso IT Security calculated the scores of this vulnerability using the online CVSS calculator found at
http://www.patchadvisor.com/PatchAdvisor/CVSSCalculator.aspx and described at http://
www.first.org/cvss/cvss-guide.pdf.

Criteria Description Value

Base Metrics Access Vector Remote

Value: 3.5 Access Complexity Low

Authentication Not Required

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Impact BIAS Confidentiality

Temporal Metrics Exploitability Functional

Value: 2.9 Remediation Level Official Fix

Report Confidence Confirmed

Environmental Metrics Collateral Damage Potential High

Value: 6.4 Target Distribution High

Security Advisory | CVE-2010-3978 | Spree e-commerce JSON v.0.11x ! 3

 Conviso IT Security

Issue History

Date Comments

10/01/10 Vulnerability identified during internal research by Conviso Security Labs

10/11/10 Spree informed about the vulnerability

10/15/10 Spree notified about the Security Advisory publishing date

11/02/10 Spree published the issue and new available release at http://spreecommerce.com/
blog/2010/11/02/json-hijacking-vulnerability/.

11/13/10 Security Advisory published on Conviso IT Security web site and relevant discussion
lists and forums on the Internet.

Security Advisory | CVE-2010-3978 | Spree e-commerce JSON v.0.11x ! 4