[UNIX] FishCart Integer Overflow / Rounding Error

From: SecuriTeam (support_at_securiteam.com)
Date: 01/15/04

  • Next message: SecuriTeam: "[EXPL] HD Soft Windows FTP Server Format String Vulnerability" 
    To: list@securiteam.com
Date: 15 Jan 2004 17:37:17 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      FishCart Integer Overflow / Rounding Error
    ------------------------------------------------------------------------

    SUMMARY

     <http://fishcart.org/> FishCart is "a popular full-featured
    multi-language open source e-commerce system. It is written in PHP4 and
    works with a variety of database engines. It has been in production for 6
    years and is in active use in a number of countries. FishCart has
    developers in the US and Western Europe". A vulnerability in the product
    allows remote attackers to cause the system to return a negative value for
    the total cost of products being purchased.

    DETAILS

    Vulnerable systems:
     * FishCart version 3.0 and prior

    Immune systems:
     * FishCart version 3.1

    On 8 January 2004, M2 Consultancy reported an error where very large
    quantities ordered, about a billion or more, could cause negative totals
    in FishCart. We quickly traced this to an integer overflow in an
    arithmetic rounding function written for PHP2, in which FishCart was
    originally written in late 1997. This rounding function has since been in
    use in all versions of FishCart.

    The developers believe we have a simple solution, to simply replace the
    previous rnd() function with the one below. After research and testing, we
    believe this will give accurate multi-national results.

    function rnd ($n) {
        return round($n,2);
    }

    The function is found in the included file round.php[3] for FishCart 3.0
    or earlier, or in functions.php for the version 3.1 betas. FishCart
    version 1.x users will need to modify the function in both the round.php3
    and showcart.php3 files.

    Solution:
    FishCart version 3.1, available from <http://fishcart.org/>
    http://fishcart.org/, is supplied with the patch already applied and
    tested.

    The second precision argument to the round() function requires PHP4. We
    believe this to be a reasonable choice, as the vast majority of sites
    should by now be running on PHP4.

    For sites running on PHP3, or for those that do not have immediate access
    to the FishCart code, risk can be greatly reduced if a FishCart uses a
    maximum order quantity on each product, or if inventory checks are enabled
    per product (unless very high stock levels are listed). As long as the
    maximum total currency amount is less than (2^31)-5, or 2,147,483,643,
    there will be no integer overflow in the current rnd() function.

    The appropriate maximum order quantity in the product table will depend on
    each site, perhaps 1000 or 10000; this could be set per product or site
    wide as makes sense for each installation.

    Another option is to modify the code in the showcart.php[3] and
    modcart.php[3] files to limit the quantity allowed. No specific code
    patches can be provided due to the many different versions of FishCart
    that have been released.

    B. van Ouwerkerk, one of the FishCart developers, has provided a simple
    utility script to update all products with a maximum order quantity. The
    script is available from the following location. Rename the script to
    fcsqlfix.php and upload it to the ./maint directory under the FishCart
    installation, then access the file directly from your browser. A simple
    form will be presented to enter the maximum order quantity to which you
    wish to set all products. When submitted the form will update the
    database. Thanks to B. for responding quickly with this.
    <http://fishcartdocs.bvanouwerkerk.nl/fcsqlfix.php.txt>
    http://fishcartdocs.bvanouwerkerk.nl/fcsqlfix.php.txt

    Support will be provided via the FishCart support e-mail list, available
    for subscription at <http://fishcart.org/> http://fishcart.org/. One must
    be subscribed to send to the list, fishcart@fishcart.org.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:l.campbell@m2consultancy.com> Luke Campbell.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] HD Soft Windows FTP Server Format String Vulnerability"

    Relevant Pages