Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (Commerce)  >   JustAddCommerce Vendors:   Rich Media Technologies
JustAddCommerce Server Trusts User-supplied Pricing Data
SecurityTracker Alert ID:  1005618
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 13 2002
Impact:   Modification of system information
Exploit Included:  Yes  

Description:   A vulnerability was reported in the JustAddCommerce server. A remote authenticated user can modify prices when purchasing via the server.

It is reported that the JustAddCommerce server accepts and trusts product pricing supplied by the user via hidden HTML form fields. A remote authenticated user can modify the price when shopping and submit the modified price to the server.

The vendor has reportedly been notified.

Impact:   A remote authenticated user can modify prices when purchasing via a web site that users JustAddCommerce. The price modifications are only valid for that particular purchasing session (i.e., the prices are not changed permanently on the server).
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Authentication error, State error
Underlying OS:  Windows (Me), Windows (98), Windows (2000)

Message History:   None.

 Source Message Contents

Subject:  Well known flaw in web cart software remains wide open

WhiteHat Security Advisory 1004
November 11, 2002

Problem Description
Vulnerable web shopping cart software passes prices between web pages 
using hidden form fields.  What this means is that every time a customer 
adds something to their shopping cart, the cart checks HTTP-POSTed data 
coming from the CUSTOMER computer to determine the price.  The problem is 
that the user can alter this data before sending it to your web server, 
allowing the user to set the price of his or her choice.

This hack is already widely known in the WhiteHat and BlackHat 
communities.  I hope to spread awareness to those site owners who are 
trusting their stores to faulty software.

Visit some vulnerable site and look at a set of expensive "FooBars". 
Install an simple IE plugin that allows you to edit HTTP POST data before 
submission and then change the hidden form field containing the price of 
the FooBars from $575 to $10.

Now, send the edited data and look at the confirmation page. 

Malicious users may set their own prices at any site using vulnerable 
cart software.  If prices are not hand-verified, vulnerable sites lose 

Mitigating Factors / Vendor Snake Oil
1> Some vendors think it is sufficent to change from HTTP GET requests to 
Insufficent.  Handcrafted-HTTP requests using PERL, C++, etc allow the 
user to fake a post.

2> Checking HTTP Referer (
Insufficent.  HTTP Referer is a header sent FROM the client and thus 
should not be trusted.  User can either fake header or use a trivial IE 
plugin which allows on-the-fly POST editing.  Writing such a plugin took 
the author 5 hours.  The widely available test proxy known as Achilles 
can also execute this attack.

Vendors Affected and Notification Dates
JustAddCommerce			- Notified July 15
Cart32							- Notified July 8
Approximately 50% of the hand-coded carts tested	- Notified at 
assorted dates/times

Related note [1]: PayPal does not claim that its donations are secure, 
and thus I do not consider them vulnerable.  Prices are passed in URL.

Related note [2]: A number of vendors have protected their item price 
data, but not their shipping charge data.  When submitting a shipping 
charge of -40, the user receives a $40 discount on their order.

Where to go from here
Find out if you are vulnerable.  Review your code or your HTTP traffic to 
determine where the prices are coming from.

If you find you are vulnerable:
1> Immediately begin verifying orders and prices.
2> Call your vendor and request a patch
3> Read the Web Security section of "Writing Secure Code" or similar to 
figure out how to fix this class of vulnerability.

How to prevent this problem
Cart software should NEVER trust ANY data coming from the client.  This 
includes HTTP Headers.  If the cart must rely on HTTP POSTed data, it 
should be delivered in a cryptographically secure manner.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, LLC