Dragonfly Commerce Lets Remote Users Modify Prices
|
|
SecurityTracker Alert ID: 1014451
|
|
SecurityTracker URL: http://securitytracker.com/id?1014451
|
|
CVE Reference: CVE-2005-2220
(Links to External Site)
|
Updated: Jun 15 2008
|
Original Entry Date: Jul 12 2005
|
Impact: Modification of user information
|
Fix Available: Yes
Exploit Included: Yes
|
Description: Diabolic Crab reported a vulnerability in Dragonfly Commerce. A remote user can modify prices during a transaction.
The 'dc_Cart_Itemsadd.asp' script does not properly validate prices. A remote user can submit a modified 'x_DragonflyCartProductPrice'
hidden HTML form value when purchasing a product to purchase the product at a different price than offered.
[Editor's note:
The vendor initially disputed this, but it was confirmed via testing by SecurityTracker. The vendor issued a fix on or about July
27, 2005.]
|
Impact: A remote user can modify the prices of items being purchased.
|
Solution: The vendor has issued a fix. The system no longer uses the 'x_DragonflyCartProductPrice' parameter to determine product pricing.
|
Vendor URL: www.incredibleinteractive.com/Active/dc_Productsview.asp?key=5 (Links to External Site)
|
Cause: Authentication error
|
Underlying OS: Windows (Any)
|
Reported By: "Diabolic Crab" <dcrab@hackerscenter.com>
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
