[17342] in bugtraq
Re: Price modification in Element InstantShop
daemon@ATHENA.MIT.EDU (Glover, Mike)
Wed Oct 25 13:35:37 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20001025072713.22629.qmail@paradise.duluoz.net>
Date: Wed, 25 Oct 2000 00:27:13 -0700
Reply-To: webmaster@DULUOZ.NET
From: "Glover, Mike" <webmaster@DULUOZ.NET>
X-To: forrest@mibsoftware.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200010241812.e9OICRk27031@lima.epix.net> from "Forrest J.
Cavalier III" at Oct 24, 2000 02:12:11 PM
>
> [snip of exploit which manipulates HTML hidden form inputs]
>
> Regrettably common, I think.
>
> This is just a reminder (with PHP3 code) that one simple technique
> to protect against this kind of tampering is to use a signature
> to validate the hidden values.
Wouldn't it just be better not to pass prices through forms at all?
If you've got the ability to run a scripting language, you can store
all of your prices in a database -- even a flat text file would work.
Then the form and the processing page just look up the price in the
database. Makes your storefront more maintainable, too.
>
> In PHP3, it is as simple as using md5 with a secret, like this:
>
> $secret = "Some constant, unrevealed string.";
>
> /* On writing out the form */
> echo "<INPUT TYPE=hidden NAME=price VALUE=\"$price\">";
> echo "<INPUT TYPE=hidden NAME=hidden2 VALUE=\"$hidden2\">";
> echo "<INPUT TYPE=hidden NAME=hidden3 VALUE=\"$hidden3\">";
> echo "<INPUT TYPE=hidden NAME=hiddensig VALUE=\"" .
> md5($price . $hidden2 . $hidden3 . $secret) . "\">";
>
> /* On reading in the form */
> if (md5($price . $hidden2 . $hidden3 . $secret) != $hiddensig) {
> /* Tampering detected */
> } else {
> /* Signature matches expected */
> }
This would work, but it's not very flexible. The form needs to
know what data is sensitive and what isn't, and the processing page
needs to have the same list. If the two lists fall out of sync,
your page stops working, or you've got the same problem all over
again -- just with more complexity in your code.
Also, what happens when you raise prices? Attackers can still
replay old sessions and buy at the old prices. To fix this you'd
need to change the secret every time you raised prices. At the
very least, this is inconvenient and one more thing to keep in
sync every time you make a change.
-mike
>
> Forrest J. Cavalier III, Mib Software Voice 570-992-8824
> http://www.rocketaware.com/ has over 30,000 links to
> source, libraries, functions, applications, and documentation.
>
--
Mike Glover webmaster@duluoz.net
Duluoz Networks http://www.duluoz.net
