[NEWS] Arbitrary Price Manipulation in CartMan Shopping Software

From: support@securiteam.com
Date: 12/20/02

  • Next message: support@securiteam.com: "[NT] LocalWEB 2000 Insecure Password Storage"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 20 Dec 2002 01:16:28 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Arbitrary Price Manipulation in CartMan Shopping Software


     <http://www.cartman.nethut.no/> Per Magne Knutsen's CartMan is a
    PHP-based multilingual, standalone web-based shopping cart application. A
    vulnerability in the product allows remote attackers to manipulate the
    price of products being sold by the software.


    Vulnerable systems:
     * CartMan version 1.04

    When adding items to the CartMan shopping cart, it uses a URL similar in
    structure to the following:


    The problem is an attacker can generate such a request by hand and set the
    price parameter (price=250 in the above URL) to any price desired. The
    following rewritten URL will add the "My Product" item listed as $250 to
    the attackers shopping cart at a price of $1:


    In cases where software is made available for download immediately after
    automated credit card validation, remote attackers can purchase such
    software for any price desired.

    Vendor response:
    Knutsen said, "A temporary fix that conceals how CartMan actually works
    has been suggested to my customers. The "fix" is available in the
    documentation file of an up-coming update of CartMan. Please see
    http://www.cartman.nethut.no/development/documentation.html . The relevant
    section is in the section Frequently Asked Questions, and reads like this:

    - --- extract start ---

    "How can I create a product-link to CartMan without the price and product
    ID showing in the browser's address field?"
    You can also pass information to CartMan via a FORM in your webpage, not
    just by links. Remember to include all the fields. An example, that also
    uses JavaScript is used in the index.html page that comes with this
    distribution. Click on the Dreamweaver link to see it in action. The link
    calls a JavaScript on the page, that in turn submits an invisible FORM on
    the same page.

    - --- extract end ---"

    Disclosure timeline:
    11/04/2002 Issue disclosed to iDEFENSE
    11/22/2002 Author notified, Per Magne Knutsen (pknutsen@nethut.no)
    11/23/2002 Response from Author
    11/25/2002 iDEFENSE clients notified
    12/16/2002 Coordinated Public Disclosure


    The information has been provided by <mailto:listserv@idefense.com>
    iDEFENSE Labs, the vulnerability was discovered by
    <mailto:steven.dowd@dowd.co.uk> Steven Dowd.


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.