DST2K0036.txt

2000-10-05T00:00:00
ID PACKETSTORM:23253
Type packetstorm
Reporter delphisplc.com
Modified 2000-10-05T00:00:00

Description

                                        
                                            `  
============================================================================  
Delphis Consulting Plc  
============================================================================  
  
Security Team Advisories  
[22/09/2000]  
  
securityteam@delphisplc.com  
[http://www.delphisplc.com/thinking/whitepapers/]  
  
============================================================================  
Adv : DST2K0036  
Title : Price modification possible in CyberOffice Shopping Cart  
Author : DCIST (securityteam@delphisplc.com)  
O/S : Microsoft Windows NT 4 Server (SP5)  
Product : CyberOffice Shopping Cart v2  
Date : 22/09/2000  
  
I. Description  
  
II. Delphis Solution  
  
III. Vendor Comments  
  
IV. Disclaimer  
  
  
============================================================================  
  
I. Description  
============================================================================  
  
Vendor URL: http://www.smartwin.com.au/smartwin.htm  
  
Delphis Consulting Internet Security Team (DCIST) discovered the following  
vulnerability in CyberOffice Shopping Cart v2 under Windows NT.  
  
Severity: high - Price modification possible  
  
It is possible to modify the unit price of items as it is submitted as  
a hidden field as part of the order form. By saving a copy of the order  
form down locally and modify the value it is possible to submit a order  
form with a zero or even negative price value.  
  
example: <input type="hidden" name="Price" value="0">  
  
The vendor solutions relies on referrers and is easily bypassed.  
  
II. Delphis Solution  
============================================================================  
  
Vendor Status: Informed  
  
Currently Delphis recommend the following:  
  
o Make transactions non-realtime (i.e. Manual authorisation)  
  
III. Vendor Comments  
============================================================================  
  
SmartWin is aware of the problem and has provided solution since about 6  
months ago.  
  
Under Global / System Settings of the Shop Manager, you can set Authorized  
URL(s) to specify the Web sites (folders) where the shopping pages reside.  
This effectively stops the problem you reported in this article.  
  
Typically, merchants will switch on the option for real-time services.  
  
IV. Disclaimer  
============================================================================  
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT  
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR  
IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE  
PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR  
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE  
PLACED ON, THIS INFORMATION FOR ANY PURPOSE.  
============================================================================  
This e-mail and any files transmitted with it are intended solely for the  
addressee and are confidential. They may also be legally  
privileged.Copyright in them is reserved by Delphis Consulting PLC  
["Delphis"] and they must not be disclosed to, or used by, anyone other than  
the addressee.If you have received this e-mail and any accompanying files in  
error, you may not copy, publish or use them in any way and you should  
delete them from your system and notify us immediately.E-mails are not  
secure. Delphis does not accept responsibility for changes to e-mails that  
occur after they have been sent. Any opinions expressed in this e-mail may  
be personal to the author and may not necessarily reflect the opinions of  
Delphis  
  
`