Form and URL tampering possible in several Web-based shopping cart applications

shopping-cart-form-tampering (4621) The risk level is classified as HighHigh Risk

Description:

Many Web-based shopping cart applications use hidden fields in HTML forms to hold parameters for items in an online store. These parameters can include the item's name, weight, quantity, product ID, and price. Any application that bases price on a hidden field in an HTML form is vulnerable to price changing by a remote user. A remote user can change the price of a particular item they intend to buy, by changing the value for the hidden HTML tag that specifies the price, to purchase products at any price they choose.

Shopping cart programs that include the price of an item in the URL are also vulnerable to price changing. Some CGI programs for online shopping add the item to the shopping cart with the price set in the URL. A remote user can change the price in the URL and add the item to the shopping cart at the modified price.


Consequences:

Data Manipulation

Remedy:

If your shopping cart application is vulnerable, upgrade to a fixed version if the vendor has provided one. If there is no upgrade available, consider switching to a more secure shopping cart application.

More information, including a list of the affected vendors and their responses, is available in Internet Security Systems Advisory #42. See References.

References:

  • BugTraq Mailing List, Fri Apr 14 2000 - 10:09:47 CDT: more problems with that POS dansie cart software!.
  • BugTraq Mailing List, Tue Nov 12 2002 - 00:44:50 CST : Well known flaw in web cart software remains wide open.
  • iDEFENSE Security Advisory 12.16.02c: Arbitrary Price Manipulation in CartMan Shopping Software.
  • Internet Security Systems Security Alert #42: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications.
  • VulnWatch Mailing List, Wed Mar 05 2003 - 00:51:29 CST: shopfactory shopping cart.
  • BID-1115: Dansie Shopping Cart 3.04 Multiple Vulnerabilities
  • BID-1237: Multiple Vendor Web Shopping Cart Hidden Form Field Vulnerability
  • BID-6178: Cart32 Hidden Form Field Manipulation Vulnerability
  • BID-6179: JustAddCommerce Hidden Form Field Manipulation Vulnerability
  • CVE-2000-0101: The Make-a-Store OrderPage shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.
  • CVE-2000-0102: The SalesCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.
  • CVE-2000-0103: The SmartCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.
  • CVE-2000-0104: The Shoptron shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.
  • CVE-2000-0106: The EasyCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.
  • CVE-2000-0108: The Intellivend shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.
  • CVE-2000-0110: The WebSiteTool shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.
  • CVE-2000-0123: The shopping cart application provided with Filemaker allows remote users to modify sensitive purchase information via hidden form fields.
  • CVE-2000-0134: The Check It Out shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.
  • CVE-2000-0135: The @Retail shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.
  • CVE-2000-0136: The Cart32 shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.
  • CVE-2000-0137: The CartIt shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.
  • CVE-2000-0253: The dansie shopping cart application cart.pl allows remote attackers to modify sensitive purchase information via hidden form fields.
  • CVE-2002-1352: Per Magne Knutsen's CartMan shopping cart (cartman.php) 1.04 and earlier allows remote attackers to modify product prices by changing the price parameter.
  • SECTRACK ID: 1005829: CartMan Shopping Cart Lets Remote Users Modify Prices of Items in Their Shopping Basket

Platforms Affected:

  • 3D3.COM ShopFactory 5.8 and prior
  • @Retail Corporation @Retail
  • Adgrafix Check It Out
  • Baron Consulting Group WebSite Tool
  • ComCity Corporation SalesCart shopping cart
  • Crested Butte Software EasyCart
  • Dansie Dansie Shopping Cart
  • Intelligent Vending Systems Intellivend
  • Make-a-Store Make-a-Store OrderPage
  • McMurtrey/Whitaker & Associates Cart32 2.6
  • McMurtrey/Whitaker & Associates Cart32 3.0
  • pknutsen CartMan 1.04
  • Rich Media Technologies JustAddCommerce 5.0
  • SmartCart SmartCart
  • Web Express Shoptron 1.2

Reported:

Feb 01, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page