[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Price modification possible in CyberOffice Shopping Cart

Title: Price modification possible in CyberOffice Shopping Cart
Released by: Delphis Consulting Plc
Date: 22nd September 2000
Printable version: Click here 
============================================================================

    Delphis Consulting Plc

============================================================================



   Security Team Advisories

       [22/09/2000]



    securityteam@delphisplc.com

  [http://www.delphisplc.com/thinking/whitepapers/]



============================================================================

Adv     :       DST2K0036

Title   :       Price modification possible in CyberOffice Shopping Cart

Author  :       DCIST (securityteam@delphisplc.com)

O/S     :       Microsoft Windows NT 4 Server (SP5)

Product :       CyberOffice Shopping Cart v2

Date    :       22/09/2000



I.    Description



II.   Delphis Solution



III.  Vendor Comments



IV.   Disclaimer





============================================================================



I. Description

============================================================================



Vendor URL: http://www.smartwin.com.au/smartwin.htm



Delphis Consulting Internet Security Team (DCIST) discovered the following

vulnerability in CyberOffice Shopping Cart v2 under Windows NT.



Severity: high - Price modification possible



It is possible to modify the unit price of items as it is submitted as

a hidden field as part of the order form. By saving a copy of the order

form down locally and modify the value it is possible to submit a order

form with a zero or even negative price value.



example: 



The vendor solutions relies on referrers and is easily bypassed.



II. Delphis Solution

============================================================================



Vendor Status: Informed



Currently Delphis recommend the following:



 o Make transactions non-realtime (i.e. Manual authorisation)



III. Vendor Comments

============================================================================



SmartWin is aware of the problem and has provided solution since about 6

months ago.



Under Global / System Settings of the Shop Manager, you can set Authorized

URL(s) to specify the Web sites (folders) where the shopping pages reside.

This effectively stops the problem you reported in this article.



Typically, merchants will switch on the option for real-time services.



IV. Disclaimer

============================================================================

THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT

THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR

IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  NEITHER THE AUTHOR NOR THE

PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR

CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE

PLACED ON, THIS INFORMATION FOR ANY PURPOSE.

============================================================================






(C) 1999-2000 All rights reserved.