|
|
|
|
| |
| Element's InstantShop, an e-commerce site solution, suffers from a security flaw that allows remote users to modify prices of sold products. |
| |
Credit:
The information has been provided by Zoa_Chien and Forrest J. Cavalier III.
|
| |
It is possible to modify the unit price of items as it is submitted as a hidden field as part of the order form. By saving a copy of the order form down locally and modifying the value, it is possible to submit an order form with a zero or even negative price value.
Example:
<INPUT TYPE = HIDDEN NAME = "product" VALUE = "blah-blah">
<INPUT TYPE = HIDDEN NAME = "name" VALUE = "blah-blah" >
<INPUT TYPE = HIDDEN NAME = "price" VALUE = "1">
--> Change this value to anything you like.
<INPUT TYPE = HIDDEN NAME = "weight" VALUE = "1">
<INPUT TYPE = HIDDEN NAME = "shopperid" VALUE = "">
<INPUT TYPE = HIDDEN NAME = "departement" VALUE = "11">
<INPUT TYPE = HIDDEN NAME = "index" VALUE = "1">
Recommendation:
The vendor has been informed, but until an official patch is released, it is recommend to fallback to using non-real-time transactions (i.e. manual authorization).
General comment:
It best not to pass prices through forms. If you have the ability to run a scripting language, you can store all of your prices in a database - even a flat text file would work. Then the form and the processing page just look up the price in the database.
If you insist on not using a database, there is a one simple technique for PHP3 that will protect you against this kind of tampering is to use a signature to validate the hidden values.
In PHP3, it is as simple as using md5 with a secret, like this:
$secret = "Some constant, unrevealed string.";
/* On writing out the form */
echo "<INPUT TYPE=hidden NAME=price VALUE=\"$price\">";
echo "<INPUT TYPE=hidden NAME=hidden2 VALUE=\"$hidden2\">";
echo "<INPUT TYPE=hidden NAME=hidden3 VALUE=\"$hidden3\">";
echo "<INPUT TYPE=hidden NAME=hiddensig VALUE=\"" .
md5($price . $hidden2 . $hidden3 . $secret) . "\">";
/* On reading in the form */
if (md5($price . $hidden2 . $hidden3 . $secret) != $hiddensig) {
/* Tampering detected */
} else {
/* Signature matches expected */
}
|
|
|
|
|
|
|
|
|
|
