[NEWS] ShopFactory Shopping Cart Price Manipulation

From: support@securiteam.com
Date: 12/05/02

  • Next message: support@securiteam.com: "[UNIX] Cyrus Sieve / libSieve Buffer Overflow"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 5 Dec 2002 20:57:25 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      ShopFactory Shopping Cart Price Manipulation


     <http://www.shopfactory.com/> ShopFactory is an online shop management
    package by 3D3.COM Pty Ltd based in Australia. With more than 100,000
    shops worldwide built with our secure shopping cart software, ShopFactory
    is one of the world's most popular and powerful e-commerce solutions. A
    vulnerability in the product allows remote attackers to modify the prices
    offered in the site.


    Vulnerable systems:
     * ShopFactory version 5.8 and prior

    Customers can modify the price of items at will.

    The contents of shopping carts used by shops created with ShopFactory
    software can be modified at will by customers. One interesting
    vulnerability is the ability to maliciously modify prices of items in the
    shopping carts. Tests show that the modifications are maintained
    throughout the billing process.

    Technical details:
    Shopping carts created with ShopFactory software optionally store all
    contents of the cart in a cookie at the browser. This includes product
    IDs, descriptions and prices. Upon revisiting the store, this cookie is
    used to fill the cart for the new session. At checkout the contents of
    this new cart is used to enter the order into the shop's delivery and
    billing system. If the shop owner has set "Remember Shopping cart for
    (days)" to 0, cookies are not created by the shop. Prior to version 5.8
    cookies are being read even when the shop does not create them. If a
    malicious user manually creates a cookie with incorrect pricing, it would
    still be used to fill the cart for a new shopping session.

    Vendor response:
    After being made aware of the problem, 3D3.COM chose to fix the reading in
    of cookies when the shop does not create them. We have not been given the
    opportunity to verify this fix. Regardless, the price manipulation
    vulnerability will still exist when "Remember Shopping cart for (days)" is
    set larger than 0. 3D3.COM states that they have not heard of any merchant
    experiencing fraud caused by this problem. 3D3.COM has informed its
    customers of this issue.

    Possible workaround:
    Upgrade to at least version 5.8 of the ShopFactory software and set
    "Remember Shopping cart for (days)" to 0.


    The original advisory can be downloaded by going to:

    The information has been provided by <mailto:richard@trust-factory.com>
    Richard van den Berg.


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.