[14999] in bugtraq
Re: Another hole in Cart32
daemon@ATHENA.MIT.EDU (sert sert)
Tue May 23 13:33:14 2000
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_40a51588_60a87f82$2a589c8e"
Message-Id: <20000523060827.69598.qmail@hotmail.com>
Date: Mon, 22 May 2000 23:08:27 PDT
Reply-To: sert sert <sert_is@HOTMAIL.COM>
From: sert sert <sert_is@HOTMAIL.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_40a51588_60a87f82$2a589c8e
Content-Type: text/plain; format=flowed
I attempted to contact the vendor earlier last month about resolving this
problem and received the attached reply. They seem to be relying on the
client to properly use the security options available in the package.
John Scimone
johnscimone@hotmail.com
>From: Elias Levy <aleph1@SECURITYFOCUS.COM>
>Reply-To: aleph1@SECURITYFOCUS.COM
>To: BUGTRAQ@SECURITYFOCUS.COM
>Subject: Re: Another hole in Cart32
>Date: Mon, 22 May 2000 12:30:13 -0700
>
>Notice that this is the same or a similar vulnerability reported
>by ISS in their February 1, 200 security alert "Form Tampering
>Vulnerabilities
>in Several Web-Based Shopping Cart Applications". Although they don't
>give enough details to tell one way or another. In that alert they
>mention Cart32 2.6. It seems the vendor has not learned from their
>earlier mistake.
>
>--
>Elias Levy
>SecurityFocus.com
>http://www.securityfocus.com/
>Si vis pacem, para bellum
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
------=_NextPart_000_40a51588_60a87f82$2a589c8e
Content-Type: text/plain; name="letter.txt"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="letter.txt"
Sir:
Thank you for bringing any possible security flaw to our attention. Below
is an excerpt to a group mailing regarding Cart32 and security. If this
does or does not blanket what you are discussing below, please let us
know.
Once again, thank you for contacting us and we will keep in touch.
"It has been brought to our attention that some of our customers are
unaware
of some very important settings within Cart32 that will prevent fraudulent
transactions from being processed by Cart32. Here is the latest on
security.
Since Cart32 uses hidden fields to pass product information from the HTML
page to the CGI program then there is the potential for someone to
download
a page, change a price in the hidden field (by editing the HTML), and then
re-post the form resulting in a lower price being added to the cart.
Obviously, in a setting where prices cannot be verified prior to shipping
this could cause some serious problems if the settings are incorrect.
What we did to help prevent this was add two fields into the Cart32
administration. The most important one is called "Domains to accept
orders".
What you do with that is list all of the domains that can have pages on
them. Usually you would list your domain name and your secure domain if it
different. Ex. www.cart32.com,cart32.com,secure.cart32.com
When a form is posted, then Cart32 checks the referring page to see if it
comes from one of those domains and if it doesn't then Cart32 does not
process the form. It just shows the "about" screen.
The other field is called POST required. This means that a form must use
Method=post and not method=get. Also that means links, which use the GET
method, will not add to the cart."
Mark Pilkenton
Cart32 Technical Support
(417) 865-1283
support@cart32.com
------=_NextPart_000_40a51588_60a87f82$2a589c8e--
