[NEWS] ShopFactory Shopping Cart Price Manipulation
From: support@securiteam.com
Date: 12/05/02
- Previous message: support@securiteam.com: "[UNIX] Pre-Login Buffer Overflow in Cyrus IMAP server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 5 Dec 2002 20:57:25 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
ShopFactory Shopping Cart Price Manipulation
------------------------------------------------------------------------
SUMMARY
<http://www.shopfactory.com/> ShopFactory is an online shop management
package by 3D3.COM Pty Ltd based in Australia. With more than 100,000
shops worldwide built with our secure shopping cart software, ShopFactory
is one of the world's most popular and powerful e-commerce solutions. A
vulnerability in the product allows remote attackers to modify the prices
offered in the site.
DETAILS
Vulnerable systems:
* ShopFactory version 5.8 and prior
Impact:
Customers can modify the price of items at will.
The contents of shopping carts used by shops created with ShopFactory
software can be modified at will by customers. One interesting
vulnerability is the ability to maliciously modify prices of items in the
shopping carts. Tests show that the modifications are maintained
throughout the billing process.
Technical details:
Shopping carts created with ShopFactory software optionally store all
contents of the cart in a cookie at the browser. This includes product
IDs, descriptions and prices. Upon revisiting the store, this cookie is
used to fill the cart for the new session. At checkout the contents of
this new cart is used to enter the order into the shop's delivery and
billing system. If the shop owner has set "Remember Shopping cart for
(days)" to 0, cookies are not created by the shop. Prior to version 5.8
cookies are being read even when the shop does not create them. If a
malicious user manually creates a cookie with incorrect pricing, it would
still be used to fill the cart for a new shopping session.
Vendor response:
After being made aware of the problem, 3D3.COM chose to fix the reading in
of cookies when the shop does not create them. We have not been given the
opportunity to verify this fix. Regardless, the price manipulation
vulnerability will still exist when "Remember Shopping cart for (days)" is
set larger than 0. 3D3.COM states that they have not heard of any merchant
experiencing fraud caused by this problem. 3D3.COM has informed its
customers of this issue.
Possible workaround:
Upgrade to at least version 5.8 of the ShopFactory software and set
"Remember Shopping cart for (days)" to 0.
ADDITIONAL INFORMATION
The original advisory can be downloaded by going to:
<http://www.trust-factory.com/TF20021004.html>
http://www.trust-factory.com/TF20021004.html
The information has been provided by <mailto:richard@trust-factory.com>
Richard van den Berg.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[UNIX] Cyrus Sieve / libSieve Buffer Overflow"
- Previous message: support@securiteam.com: "[UNIX] Pre-Login Buffer Overflow in Cyrus IMAP server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
