FishCart Integer Overflow / Rounding Error
From: Michael Brennen (mbrennen_at_fni.com)
Date: 01/14/04
- Previous message: nCipher Support: "nCipher Advisory #8: payShield library may verify bad requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 14 Jan 2004 09:06:02 -0600 (CST) To: bugtraq@securityfocus.com
FishCart(R) is a popular full-featured multi-language open source
e-commerce system. It is written in PHP4 and works with a variety
of database engines. It has been in production for 6 years and is
in active use in a number of countries. FishCart has developers in
the US and western Europe.
On 8 January 2004, Luke Campbell (l.campbell@m2consultancy.com) of
M2 Consultancy reported an error where very large quantities
ordered, on the order of a billion or more, can cause negative
totals in FishCart. We quickly traced this to an integer overflow
in an arithmetic rounding function written for PHP2, in which
FishCart was originally written in late 1997. This rounding
function has since been in use in all versions of FishCart.
The developers believe we have a simple solution, to simply replace
the previous rnd() function with the one below. After research and
testing we believe this will give accurate multi-national results.
function rnd ($n) {
return round($n,2);
}
The function is found in the included file round.php[3] for FishCart
3.0 or earlier, or in functions.php for the version 3.1 betas.
FishCart version 1.x users will need to modify the function in both
the round.php3 and showcart.php3 files.
Version 3.1, available from http://fishcart.org/, is supplied with
the patch already applied and tested.
The second precision argument to the round() function requires
PHP4. We believe this to be a reasonable choice, as the vast
majority of sites should by now be running on PHP4.
For sites running on PHP3, or for those that do not have immediate
access to the FishCart code, risk can be greatly reduced if a
FishCart uses a maximum order quantity on each product, or if
inventory checks are enabled per product (unless very high stock
levels are listed). As long as the maximum total currency amount is
less than (2^31)-5, or 2,147,483,643, there will be no integer
overflow in the current rnd() function.
The appropriate maximum order quantity in the product table will
depend on each site, perhaps 1000 or 10000; this could be set per
product or sitewide as makes sense for each installation.
Another option is to modify the code in the showcart.php[3] and
modcart.php[3] files to limit the quantity allowed. No specific code
patches can be provided due to the many different versions of FishCart
that have been released.
B. van Ouwerkerk, one of the FishCart developers, has provided a
simple utility script to update all products with a maximum order
quantity. The script is available from the following location.
Rename the script to fcsqlfix.php and upload it to the ./maint
directory under the FishCart installation, then access the file
directly from your browser. A simple form will be presented to
enter the maximum order quantity to which you wish to set all
products. When submitted the form will update the database.
Thanks to B. for responding quickly with this.
http://fishcartdocs.bvanouwerkerk.nl/fcsqlfix.php.txt
Support will be provided via the FishCart support e-mail list,
available for subscription at http://fishcart.org/. One must be
subscribed to send to the list, fishcart@fishcart.org.
We recommend that the appropriate fix for each site be applied
immediately. No known abuses of this bug have been reported.
Merchants should be able to quickly identity and correct any such
abuses, due to the negative totals and the extremely high product
quantities required to cause the overflow.
Michael Brennen
President, FishNet(R), Inc.
For the FishCart Developers
+011 972.669.0041
FishCart is a registered trademark of FishNet(R), Inc.
- Previous message: nCipher Support: "nCipher Advisory #8: payShield library may verify bad requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
