=====================================================================

Securax-SA-07 Security Advisory

belgian.networking.security Dutch

=====================================================================

Topic: Price modification in Element InstantShop

Announced: 2000-10-23

Updated: 2000-10-23

O/S: Microsoft Windows NT 4 Server

Severity: High - Price modification possible

vendor URL: www.element.be

cgi-bin: /[bin-dir]/add_2_basket.asp

=====================================================================



THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE

ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY

IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.

NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY

WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE

ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS

INFORMATION FOR ANY PURPOSE.







I. Background

It is possible to modify the unit price of items as it is submitted

as a hidden field as part of the order form. By saving a copy of

the order form down locally and modify the value it is possible to

submit a order form with a zero or even negative price value.







II. Impact

Example:







--> change value this to anything you like.













III. Recommendation

The vendor has been informed, but in the meanwhile we recommend

using non-realtime transactions ( ie: manual authorisation ). And

pay attention for a BMW going over the counter for $10 :-)







IV. Credits

 and for the e-shop hunting spree,  for the HTML.







=====================================================================

For more information info@securax.org

Website http://www.securax.org

Advisories/Text http://www.securax.org/pers

---------------------------------------------------------------------