[17331] in bugtraq
Re: Price modification in Element InstantShop
daemon@ATHENA.MIT.EDU (Forrest J. Cavalier III)
Wed Oct 25 03:13:13 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <200010241812.e9OICRk27031@lima.epix.net>
Date: Tue, 24 Oct 2000 14:12:11 -0400
Reply-To: forrest@mibsoftware.com
From: "Forrest J. Cavalier III" <mibsoft@MIBSOFTWARE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
[snip of exploit which manipulates HTML hidden form inputs]
Regrettably common, I think.
This is just a reminder (with PHP3 code) that one simple technique
to protect against this kind of tampering is to use a signature
to validate the hidden values.
In PHP3, it is as simple as using md5 with a secret, like this:
$secret = "Some constant, unrevealed string.";
/* On writing out the form */
echo "<INPUT TYPE=hidden NAME=price VALUE=\"$price\">";
echo "<INPUT TYPE=hidden NAME=hidden2 VALUE=\"$hidden2\">";
echo "<INPUT TYPE=hidden NAME=hidden3 VALUE=\"$hidden3\">";
echo "<INPUT TYPE=hidden NAME=hiddensig VALUE=\"" .
md5($price . $hidden2 . $hidden3 . $secret) . "\">";
/* On reading in the form */
if (md5($price . $hidden2 . $hidden3 . $secret) != $hiddensig) {
/* Tampering detected */
} else {
/* Signature matches expected */
}
Forrest J. Cavalier III, Mib Software Voice 570-992-8824
http://www.rocketaware.com/ has over 30,000 links to
source, libraries, functions, applications, and documentation.
