|
|
|
|
| |
| ShopFactory is an online shop management package by 3D3.COM Pty Ltd based in Australia. With more than 100,000 shops worldwide built with our secure shopping cart software, ShopFactory is one of the world's most popular and powerful e-commerce solutions. A vulnerability in the product allows remote attackers to modify the prices offered in the site. |
| |
Credit:
The original advisory can be downloaded by going to:
http://www.trust-factory.com/TF20021004.html
The information has been provided by Richard van den Berg.
|
| |
Vulnerable systems:
* ShopFactory version 5.8 and prior
Impact:
Customers can modify the price of items at will.
The contents of shopping carts used by shops created with ShopFactory software can be modified at will by customers. One interesting vulnerability is the ability to maliciously modify prices of items in the shopping carts. Tests show that the modifications are maintained throughout the billing process.
Technical details:
Shopping carts created with ShopFactory software optionally store all contents of the cart in a cookie at the browser. This includes product IDs, descriptions and prices. Upon revisiting the store, this cookie is used to fill the cart for the new session. At checkout the contents of this new cart is used to enter the order into the shop's delivery and billing system. If the shop owner has set "Remember Shopping cart for (days)" to 0, cookies are not created by the shop. Prior to version 5.8 cookies are being read even when the shop does not create them. If a malicious user manually creates a cookie with incorrect pricing, it would still be used to fill the cart for a new shopping session.
Vendor response:
After being made aware of the problem, 3D3.COM chose to fix the reading in of cookies when the shop does not create them. We have not been given the opportunity to verify this fix. Regardless, the price manipulation vulnerability will still exist when "Remember Shopping cart for (days)" is set larger than 0. 3D3.COM states that they have not heard of any merchant experiencing fraud caused by this problem. 3D3.COM has informed its customers of this issue.
Possible workaround:
Upgrade to at least version 5.8 of the ShopFactory software and set "Remember Shopping cart for (days)" to 0.
|
|
|
|
|
|
|
|
|
|
