ShopFactory Cookie Price Modification

2002-12-02T00:00:00
ID OSVDB:5963
Type osvdb
Reporter Richard van den Berg(richard@trust-factory.com)
Modified 2002-12-02T00:00:00

Description

Vulnerability Description

3D3.Com ShopFactory contains a flaw that may allow a malicious user to modify the contents of their shopping cart. The issue is triggered when a malicious user modifies variables in an existing cookie. It is possible that the flaw may allow a malicious user to specify any price desired for any items in their shopping cart while shopping, resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): set "Remember Shopping cart for (days)" to 0.

Short Description

3D3.Com ShopFactory contains a flaw that may allow a malicious user to modify the contents of their shopping cart. The issue is triggered when a malicious user modifies variables in an existing cookie. It is possible that the flaw may allow a malicious user to specify any price desired for any items in their shopping cart while shopping, resulting in a loss of integrity.

References:

Vendor URL: http://www.shopfactory.com/ Other Advisory URL: http://www.trust-factory.com/TF20021004.html Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0109.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-12/0018.html ISS X-Force ID: 10746 Bugtraq ID: 6296