SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   FishCart Vendors:   FishNet
FishCart Shopping System Integer Overflow Lets Remote Users Trigger Caculation Errors
SecurityTracker Alert ID:  1008731
SecurityTracker URL:  http://securitytracker.com/id/1008731
CVE Reference:   CVE-2004-0062   (Links to External Site)
Updated:  Jan 20 2004
Original Entry Date:  Jan 15 2004
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0 and prior versions
Description:   An integer overflow vulnerability was reported in the FishCart shopping system. A remote user can trigger a calculation error.

It is reported that a remote user can specify 'very large quantities' of items to be ordered to trigger an integer overflow and result in negative totals calculated for the order.

Impact:   A remote user can cause the shopping cart to calculate negative totals.
Solution:   The vendor has issued a fixed version (3.1), available at:

http://fishcart.org/

The vendor indicates that, alternately, you can replace the rnd() function with the following function:

function rnd ($n) {
return round($n,2);
}

This function reportedly resides in the included file 'round.php[3]' for FishCart 3.0 or earlier and in 'functions.php' for the version 3.1 betas. For FishCart version 1.x, the function reportedly resides in in both the 'round.php3' and 'showcart.php3' files.

Vendor URL:  fishcart.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  FishCart Integer Overflow / Rounding Error



FishCart(R) is a popular full-featured multi-language open source
e-commerce system.  It is written in PHP4 and works with a variety
of database engines.  It has been in production for 6 years and is
in active use in a number of countries.  FishCart has developers in
the US and western Europe.

On 8 January 2004, Luke Campbell (l.campbell@m2consultancy.com) of
M2 Consultancy reported an error where very large quantities
ordered, on the order of a billion or more, can cause negative
totals in FishCart.  We quickly traced this to an integer overflow
in an arithmetic rounding function written for PHP2, in which
FishCart was originally written in late 1997.  This rounding
function has since been in use in all versions of FishCart.

The developers believe we have a simple solution, to simply replace
the previous rnd() function with the one below.  After research and
testing we believe this will give accurate multi-national results.

function rnd ($n) {
    return round($n,2);
}

The function is found in the included file round.php[3] for FishCart
3.0 or earlier, or in functions.php for the version 3.1 betas.
FishCart version 1.x users will need to modify the function in both
the round.php3 and showcart.php3 files.

Version 3.1, available from http://fishcart.org/, is supplied with
the patch already applied and tested.

The second precision argument to the round() function requires
PHP4.  We believe this to be a reasonable choice, as the vast
majority of sites should by now be running on PHP4.

For sites running on PHP3, or for those that do not have immediate
access to the FishCart code, risk can be greatly reduced if a
FishCart uses a maximum order quantity on each product, or if
inventory checks are enabled per product (unless very high stock
levels are listed).  As long as the maximum total currency amount is
less than (2^31)-5, or 2,147,483,643, there will be no integer
overflow in the current rnd() function.

The appropriate maximum order quantity in the product table will
depend on each site, perhaps 1000 or 10000; this could be set per
product or sitewide as makes sense for each installation.

Another option is to modify the code in the showcart.php[3] and
modcart.php[3] files to limit the quantity allowed.  No specific code
patches can be provided due to the many different versions of FishCart
that have been released.

B. van Ouwerkerk, one of the FishCart developers, has provided a
simple utility script to update all products with a maximum order
quantity.  The script is available from the following location.
Rename the script to fcsqlfix.php and upload it to the ./maint
directory under the FishCart installation, then access the file
directly from your browser.  A simple form will be presented to
enter the maximum order quantity to which you wish to set all
products.  When submitted the form will update the database.
Thanks to B. for responding quickly with this.

http://fishcartdocs.bvanouwerkerk.nl/fcsqlfix.php.txt

Support will be provided via the FishCart support e-mail list,
available for subscription at http://fishcart.org/.  One must be
subscribed to send to the list, fishcart@fishcart.org.

We recommend that the appropriate fix for each site be applied
immediately.  No known abuses of this bug have been reported.
Merchants should be able to quickly identity and correct any such
abuses, due to the negative totals and the extremely high product
quantities required to cause the overflow.

   Michael Brennen
   President, FishNet(R), Inc.
   For the FishCart Developers
   +011 972.669.0041

FishCart is a registered trademark of FishNet(R), Inc.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC