Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » ShopFactory shopping cart price manipulation

ShopFactory shopping cart price manipulation

by Nikola Strahija on December 2nd, 2002 Impact: Customers can modify the price of items at will


Discovery Date: October 4, 2002
Release Date: December 2, 2002
ID: TF20021004
Title: ShopFactory shopping cart price manipulation
Impact: Customers can modify the price of items at will
Affected Technology: Online shopping carts created with ShopFactory
Vendor Status: Vendor was notified on October 7, 2002
Vendor promised partial fix, and suggested work around
Discovered By: Richard van den Berg
Advisory URL: http://www.trust-factory.com/TF20021004.html

Background:
===========
ShopFactory is an online shop management package by 3D3.COM Pty Ltd
based in Australia. A quote from the www.shopfactory.com homepage:

With more than 100,000 shops worldwide built with our secure shopping
cart software, ShopFactory is one of the world's most popular and
powerful e-commerce solutions.

Description:
============
The contents of shopping carts used by shops created with ShopFactory
software can be modified at will by customers. One interesting
vulnerablility is the ability to maliciously modify prices of items
in the shopping carts. Tests show that the modifications are maintained
throughout the billing process.

Technical details:
==================
Shopping carts created with ShopFactory software optionally store all
contents of the cart in a cookie at the browser. This includes product
IDs, descriptions and prices. Upon revisiting the store, this cookie is
used to fill the cart for the new session. At checkout the contents of
this new cart is used to enter the order into the shop's delivery and
billing system.
If the shop owner has set "Remember Shopping cart for (days)" to 0,
cookies are not created by the shop. Prior to version 5.8 cookies
are being read even when the shop does not create them. If a malicious
user manually creates a cookie with incorrect pricing, it would still
be used to fill the cart for a new shopping session.

Vendor response:
================
After being made aware of the problem, 3D3.COM chose to fix the reading
in of cookies when the shop does not create them. We have not been given
the oppertunity to verify this fix. Regardless, the price manipulation
vulnerability will still exist when "Remember Shopping cart for (days)"
is set larger than 0.
3D3.COM states that they have not heard of any merchant experiencing
fraud caused by this problem. 3D3.COM has informed its customers of this
issue.

Conclusion:
===========
ShopFactory violates the "don't trust user input" rule of application
programming, resulting in potential loss of profit for shops using
this software. See also Don't #2 of "Twenty Don'ts for ASP Developers"
at http://online.securityfocus.com/infocus/1603

Possible work around:
=====================
Upgrade to at least version 5.8 of the ShopFactory software and set
"Remember Shopping cart for (days)" to 0.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »