[Full-Disclosure] ShopFactory shopping cart price manipulation

From: Richard van den Berg (richard@trust-factory.com)
Date: 12/02/02

From: richard@trust-factory.com (Richard van den Berg)
Date: Mon, 02 Dec 2002 18:33:17 +0100

Trust Factory Security Advisory TF20021004

Discovery Date: October 4, 2002
Release Date: December 2, 2002
ID: TF20021004
Title: ShopFactory shopping cart price manipulation
Impact: Customers can modify the price of items at will
Affected Technology: Online shopping carts created with ShopFactory
Vendor Status: Vendor was notified on October 7, 2002
                       Vendor promised partial fix, and suggested work
Discovered By: Richard van den Berg <richard@trust-factory.com>
Advisory URL: http://www.trust-factory.com/TF20021004.html

ShopFactory is an online shop management package by 3D3.COM Pty Ltd
based in Australia. A quote from the www.shopfactory.com homepage:

With more than 100,000 shops worldwide built with our secure shopping
cart software, ShopFactory is one of the world's most popular and
powerful e-commerce solutions.

The contents of shopping carts used by shops created with ShopFactory
software can be modified at will by customers. One interesting
vulnerablility is the ability to maliciously modify prices of items
in the shopping carts. Tests show that the modifications are maintained
throughout the billing process.

Technical details:
Shopping carts created with ShopFactory software optionally store all
contents of the cart in a cookie at the browser. This includes product
IDs, descriptions and prices. Upon revisiting the store, this cookie is
used to fill the cart for the new session. At checkout the contents of
this new cart is used to enter the order into the shop's delivery and
billing system.
If the shop owner has set "Remember Shopping cart for (days)" to 0,
cookies are not created by the shop. Prior to version 5.8 cookies
are being read even when the shop does not create them. If a malicious
user manually creates a cookie with incorrect pricing, it would still
be used to fill the cart for a new shopping session.

Vendor response:
After being made aware of the problem, 3D3.COM chose to fix the reading
in of cookies when the shop does not create them. We have not been given
the oppertunity to verify this fix. Regardless, the price manipulation
vulnerability will still exist when "Remember Shopping cart for (days)"
is set larger than 0.
3D3.COM states that they have not heard of any merchant experiencing
fraud caused by this problem. 3D3.COM has informed its customers of this

ShopFactory violates the "don't trust user input" rule of application
programming, resulting in potential loss of profit for shops using
this software. See also Don't #2 of "Twenty Don'ts for ASP Developers"
at http://online.securityfocus.com/infocus/1603

Possible work around:
Upgrade to at least version 5.8 of the ShopFactory software and set
"Remember Shopping cart for (days)" to 0.

Richard van den Berg, CISSP
Trust Factory B.V.      | http://www.trust-factory.com/
Bazarstraat 44a         | Phone: +31 70 3620684
NL-2518AK The Hague     | Fax  : +31 70 3603009
The Netherlands         |