Trust Factory Security Advisory TF20021004
Discovery Date: October 4, 2002 Release Date: December 2, 2002 ID: TF20021004 Title: ShopFactory shopping cart price manipulation Impact: Customers can modify the price of items at will Affected Technology: Online shopping carts created with ShopFactory Vendor Status: Vendor was notified on October 7, 2002 Vendor promised partial fix, and suggested work around Discovered By: Richard van den Berg <email@example.com> Advisory URL: http://www.trust-factory.com/TF20021004.html
ShopFactory is an online shop management package by 3D3.COM Pty Ltd based in Australia. A quote from the www.shopfactory.com homepage:
With more than 100,000 shops worldwide built with our secure shopping cart software, ShopFactory is one of the world's most popular and powerful e-commerce solutions.
The contents of shopping carts used by shops created with ShopFactory software can be modified at will by customers. One interesting vulnerablility is the ability to maliciously modify prices of items in the shopping carts. Tests show that the modifications are maintained throughout the billing process.
Shopping carts created with ShopFactory software optionally store all contents of the cart in a cookie at the browser. This includes product IDs, descriptions and prices. Upon revisiting the store, this cookie is used to fill the cart for the new session. At checkout the contents of this new cart is used to enter the order into the shop's delivery and billing system. If the shop owner has set "Remember Shopping cart for (days)" to 0, cookies are not created by the shop. Prior to version 5.8 cookies are being read even when the shop does not create them. If a malicious user manually creates a cookie with incorrect pricing, it would still be used to fill the cart for a new shopping session.
After being made aware of the problem, 3D3.COM chose to fix the reading in of cookies when the shop does not create them. We have not been given the oppertunity to verify this fix. Regardless, the price manipulation vulnerability will still exist when "Remember Shopping cart for (days)" is set larger than 0. 3D3.COM states that they have not heard of any merchant experiencing fraud caused by this problem. 3D3.COM has informed its customers of this issue.
ShopFactory violates the "don't trust user input" rule of application programming, resulting in potential loss of profit for shops using this software. See also Don't #2 of "Twenty Don'ts for ASP Developers" at http://online.securityfocus.com/infocus/1603
Upgrade to at least version 5.8 of the ShopFactory software and set "Remember Shopping cart for (days)" to 0.
-- Richard van den Berg, CISSP
Trust Factory B.V. | http://www.trust-factory.com/ Bazarstraat 44a | Phone: +31 70 3620684 NL-2518AK The Hague | Fax : +31 70 3603009 The Netherlands |