[14995] in bugtraq
Re: Another hole in Cart32
daemon@ATHENA.MIT.EDU (Michael Form)
Tue May 23 13:01:14 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="=====================_1846354==_.ALT"
Message-Id: <4.2.0.58.20000522162704.00bca840@mail.ot.com>
Date: Mon, 22 May 2000 16:37:54 -0400
Reply-To: Michael Form <mike@SECTOR001.ORG>
From: Michael Form <mike@SECTOR001.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000522133607.10888.qmail@securityfocus.com>
--=====================_1846354==_.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 01:36 PM 5/22/00 +0000, bunny_69_1@HOTMAIL.COM wrote:
>Description:
>-----------
>When a user clicks on a product he's interested in, he sees
>a form where he can add this product to his cart, the
>problem is that the price of the product is passed to the
>Cart32 system by a "hidden" HTML tag named Price.
>A simple edit of this field will permit a malicious attacker
>to buy products in the desired price (probably $0).
This "hole" is avoided by setting "Domain(s) to Accept Orders" in the
'Advanced' Tab. If the referral URL does not match one of those domains
provided, the order will not go through. To quote from Cart32 v3.0 Help:
Domain(s) To Accept Orders
This is a list of domain names or ip addresses in which to accept orders.
This would be your website. This prevents a user from downloading a page
containing product information and then changing the price or other
parameter and then submitting the order. You can one domain name or several
separated by commas. Ex. www.cart32.com or www.cart32.com, cart32.com,
207.150.83.60
(END QUOTE)
Of course, there are ways to go around the referral check. Which is why the
"Require POST" option exists, which means the form must be submitted using
'POST' and not 'GET'.
Again, there are ways to avoid that check (for example, creating your own
simplistic "web browser"). However, all Cart32 users should skim through
the orders to see any noticeable price errors.
--=====================_1846354==_.ALT
Content-Type: text/html; charset="us-ascii"
<html>
At 01:36 PM 5/22/00 +0000, bunny_69_1@HOTMAIL.COM wrote:<br>
<blockquote type=cite cite>Description:<br>
-----------<br>
When a user clicks on a product he's interested in, he sees<br>
a form where he can add this product to his cart, the<br>
problem is that the price of the product is passed to the<br>
Cart32 system by a "hidden" HTML tag named Price.<br>
A simple edit of this field will permit a malicious attacker<br>
to buy products in the desired price (probably $0).</blockquote><br>
This "hole" is avoided by setting "Domain(s) to Accept
Orders" in the 'Advanced' Tab. If the referral URL does not match
one of those domains provided, the order will not go through. To quote
from Cart32 v3.0 Help:<br>
<br>
<b>Domain(s) To Accept Orders<br>
</b>This is a list of domain names or ip addresses in which to accept
orders. This would be your website. This prevents a user from downloading
a page containing product information and then changing the price or
other parameter and then submitting the order. You can one domain name or
several separated by commas. Ex.
<a href="http://www.cart32.com/" eudora="autourl">www.cart32.com</a> or
<a href="http://www.cart32.com/" eudora="autourl">www.cart32.com</a>,
cart32.com, 207.150.83.60<br>
(END QUOTE)<br>
<br>
Of course, there are ways to go around the referral check. Which is why
the "Require POST" option exists, which means the form must be
submitted using 'POST' and not 'GET'.<br>
<br>
Again, there are ways to avoid that check (for example, creating your own
simplistic "web browser"). However, all Cart32 users should
skim through the orders to see any noticeable price errors.</html>
--=====================_1846354==_.ALT--
