Arbitrary Price Manipulation in CartMan Shopping Software
20 Dec. 2002
Summary
Per Magne Knutsen's CartMan is a PHP-based multilingual, standalone web-based shopping cart application. A vulnerability in the product allows remote attackers to manipulate the price of products being sold by the software.
Credit:
The information has been provided by iDEFENSE Labs, the vulnerability was discovered by Steven Dowd.
The problem is an attacker can generate such a request by hand and set the price parameter (price=250 in the above URL) to any price desired. The following rewritten URL will add the "My Product" item listed as $250 to the attackers shopping cart at a price of $1:
Analysis:
In cases where software is made available for download immediately after automated credit card validation, remote attackers can purchase such software for any price desired.
Vendor response:
Knutsen said, "A temporary fix that conceals how CartMan actually works has been suggested to my customers. The "fix" is available in the documentation file of an up-coming update of CartMan. Please see http://www.cartman.nethut.no/development/documentation.html . The relevant section is in the section Frequently Asked Questions, and reads like this:
- --- extract start ---
"How can I create a product-link to CartMan without the price and product ID showing in the browser's address field?"
You can also pass information to CartMan via a FORM in your webpage, not just by links. Remember to include all the fields. An example, that also uses JavaScript is used in the index.html page that comes with this distribution. Click on the Dreamweaver link to see it in action. The link calls a JavaScript on the page, that in turn submits an invisible FORM on the same page.
- --- extract end ---"
Disclosure timeline:
11/04/2002 Issue disclosed to iDEFENSE
11/22/2002 Author notified, Per Magne Knutsen (pknutsen@nethut.no)
11/23/2002 Response from Author
11/25/2002 iDEFENSE clients notified
12/16/2002 Coordinated Public Disclosure
