SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   PHPCart Vendors:   Carmosa
PHPCart Authentication Flaw Lets Remote Users Modify Prices During Purchase
SecurityTracker Alert ID:  1013892
SecurityTracker URL:  http://securitytracker.com/id/1013892
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 5 2005
Impact:   Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 3.2; possibly other versions (3.3 was not tested)
Description:   Lostmon reported a vulnerability in PHPCart. A remote user can modify prices.

The 'phpcart.php' script does not properly validate or authenticate user-supplied input in the 'price' and 'postage' variables. A remote user can modify the price of an item when ordering the item.

A demonstration exploit URL is provided:

http://[target]/phpcart.php?action=add&id=1002&descr=Mobile%20Phone&price=0&postage=&quantity=100

The vendor was notified on April 26, 2005.

Impact:   A remote user can modify the price of an item when ordering the item.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpcart.net/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  PHPCart order price manipulation


###############################################
PHPCart order price manipulation
vendor url: www.phpcart.net
advisory:http://lostmon.blogspot.com/2005/04/
phpcart-price-manipulation.html
vendor notify: yes exploit abailable: yes
################################################

PHPCart  is a simple shopping system for small web-merchants
.Set-up of PHPCart is quick and easy, and does not require a database.

PHPcart contains a flaw that allows a price manipulation wen order a
product.  This flaw exists because the application does not validate
'price' , 'postage' variables upon submission to the 'phpcart.php'
script.  This could allow a user to create a specially crafted URL
that can shop some products at 0$, leading to a loss of integrity.


versions:

3.2 afected
3.3 not tested

also is posible all vesions prior to 3.2 are vulnerables.

##########
solution:
##########

upgrade to version 3.3 (not tested)
this version is not tested and is also posible to be vulnerable too.


##########
timeline
##########

discovered:25 april 2005
vendor notify 26 april 2005
vendor response:
vendor fix:
disclosure:


#####################
Proof of concept:
#####################


for exploiting this issue :

1 click in "add to cart" button on product what you are interested the
link have a
similar looks : 

http://[victim]/phpcart.php?action=add&id=1002&descr=Mobile%20Phone&price=35.0&postage=10&quantity=1

if we look we have action=add , description of product and this
==>&price=35.0&postage=10
this is the price of the product and the post cost.

in your cart you have now a product.

2. click on "view basket" and you have your product ... delete it and 
click on this manipulate URL:
http://[victim]/phpcart.php?action=add&id=1002&descr=Mobile%20Phone&price=0&postage=&quantity=100

we manipulate 'price' , 'postage' and 'quantity' and now if we look our basket
we have 100 products shopping at cost 0$


thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team 
thnx to all who day after day support me !!!
-- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ 
Data Mangler of: http://www.osvdb.org -- La curiosidad es lo que hace mover la mente.... 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC