Multiple Vendor Web Shopping Cart Hidden Form Field Vulnerability
BID:1237
Info
Multiple Vendor Web Shopping Cart Hidden Form Field Vulnerability
| Bugtraq ID: | 1237 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Feb 01 2000 12:00AM |
| Updated: | Feb 01 2000 12:00AM |
| Credit: | Publicized in an ISS advisory released on February 1, 2000. Additional information posted to Bugtraq by [email protected] on May 22, 2000. |
| Vulnerable: |
Zilron StoreCreator 3.0 Shop Express Shop Express 1.0 McMurtrey/Whitaker & Associates Cart32 3.0 McMurtrey/Whitaker & Associates Cart32 2.5 a E-Commerce Exchange QuickCommerce 3.0 E-Commerce Exchange QuickCommerce 2.5 |
| Not Vulnerable: | |
Discussion
Multiple Vendor Web Shopping Cart Hidden Form Field Vulnerability
Various shopping cart applications use hidden form fields within the html source code with preset parameters which contain product information. For example: price, weight, quantity, identification etc. If a remote user saves the web page of a particular item to their machine it is possible for them to edit the html source, consequently allowing them to alter the parameters of the product. The modified web page can then be submitted to the shopping cart application. It is also possible in some circumstances to exploit this vulnerability via any regular browser's address bar.
Some vendors have built in checks that require the post method or the check refer field, both these requirements can be defeated via custom built http requests.
Various shopping cart applications use hidden form fields within the html source code with preset parameters which contain product information. For example: price, weight, quantity, identification etc. If a remote user saves the web page of a particular item to their machine it is possible for them to edit the html source, consequently allowing them to alter the parameters of the product. The modified web page can then be submitted to the shopping cart application. It is also possible in some circumstances to exploit this vulnerability via any regular browser's address bar.
Some vendors have built in checks that require the post method or the check refer field, both these requirements can be defeated via custom built http requests.
Exploit / POC
Multiple Vendor Web Shopping Cart Hidden Form Field Vulnerability
CDI <[email protected]> has released the following exploit:
CDI <[email protected]> has released the following exploit:
Solution / Fix
Multiple Vendor Web Shopping Cart Hidden Form Field Vulnerability
Solution:
As this problem affects multiple products, check your vendors homepage for solution information.
In the ISS advisory the following products are listed as having been fixed:
@Retail (http://www.atretail.com)
Cart32 2.6 (http://www.cart32.com)
CartIt 3.0 (http://www.cartit.com)
Make-a-Store OrderPage (http://www.make-a-store.com)
SalesCart (http://www.salescart.com)
SmartCart (http://www.smartcart.com)
Shoptron 1.2 (http://www.shoptron.com)
Cart32 version3.0 is still vulnerable.
Solution:
As this problem affects multiple products, check your vendors homepage for solution information.
In the ISS advisory the following products are listed as having been fixed:
@Retail (http://www.atretail.com)
Cart32 2.6 (http://www.cart32.com)
CartIt 3.0 (http://www.cartit.com)
Make-a-Store OrderPage (http://www.make-a-store.com)
SalesCart (http://www.salescart.com)
SmartCart (http://www.smartcart.com)
Shoptron 1.2 (http://www.shoptron.com)
Cart32 version3.0 is still vulnerable.
References
Multiple Vendor Web Shopping Cart Hidden Form Field Vulnerability
References:
References:
- Cart32 Product Homepage (McMurtrey/Whitaker & Associates)