Dragonfly Commerce dc_Categorieslist.asp Hidden Field Modification Product Price Manipulation

2005-07-12T04:49:43
ID OSVDB:18449
Type osvdb
Reporter Diabolic Crab(dcrab@hackerscenter.com)
Modified 2005-07-12T04:49:43

Description

Vulnerability Description

Dragonfly Commerce contains a flaw that may allow a remote attacker to manipulate prices without authorization. The issue is due to the dc_Categorieslist.asp script not properly sanitizing user input. By modifying the 'x_DragonflyCartProductPrice' hidden field before submission, it is possible for an attacker to manipulate prices in the system before purchasing an item.

Technical Description

The vendor had originally disputed these claims saying "Dragonfly Commerce does not allow for editing prices nor does it allow for viewing information about clients stored in the database except by the store owner and authorized staff as appointed in the store administration." However, subsequent testing by SecurityTracker has verified the original findings and confirmed the vulnerability. The vendor silently released a fix several days later.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Incredible Interactive has released a patch to address this vulnerability.

Short Description

Dragonfly Commerce contains a flaw that may allow a remote attacker to manipulate prices without authorization. The issue is due to the dc_Categorieslist.asp script not properly sanitizing user input. By modifying the 'x_DragonflyCartProductPrice' hidden field before submission, it is possible for an attacker to manipulate prices in the system before purchasing an item.

References:

Vendor Specific Advisory URL Security Tracker: 1014451 Secunia Advisory ID:16007 Related OSVDB ID: 18448 Related OSVDB ID: 18446 Related OSVDB ID: 18441 Related OSVDB ID: 18447 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0196.html CVE-2005-2220