VeriSign, Inc.® US Home | Worldwide Sites | Site Map
Products & Services Solutions Support About VeriSign Login for existing VeriSign customers
You Are Here: US Home > VeriSign iDefense Security Intelligence Service > Current Intelligence > Vulnerability Advisories > 2002 > 12.16.02

Arbitrary Price Manipulation in CartMan Shopping Software

I. BACKGROUND

Per Magne Knutsen's CartMan is a PHP-based multilingual, standalone web-based shopping cart application. More information is available at http://www.cartman.nethut.no .

II. DESCRIPTION

When adding items to the CartMan shopping cart, it uses a URL similar in structure to the following:

cartman.php?action=add&id=1234&descr=My%20Product&price=250&quantity=1

The problem is an attacker can generate such a request by hand and set the price parameter (price=250 in the above URL) to any price desired. The following rewritten URL will add the "My Product" item listed as $250 to the attackers shopping cart at a price of $1:

cartman.php?action=add&id=1234&descr=My%20Product&price=1&quantity=1

III. ANALYSIS

In cases where software is made available for download immediately after automated credit card validation, remote attackers can purchase such software for any price desired.

IV. DETECTION

CartMan 1.04 is affected. Previous versions may be susceptible as well.


V. VENDOR RESPONSE

Knutsen said, "A temporary fix that conceals how CartMan actually works has been suggested to my customers. The "fix" is available in the documentation file of an up-coming update of CartMan. Please see http://www.cartman.nethut.no/development/documentation.html . The relevant section is in the section Frequently Asked Questions, and reads like this:

- - --- extract start ---

"How can I create a product-link to CartMan without the price and product ID showing in the browser's address field?" You can also pass information to CartMan via a FORM in your webpage, not just by links. Remember to include all the fields. An example,
that also uses JavaScript is used in the index.html page that comes with this distribution. Click on the Dreamweaver link to see it in action. The link calls a JavaScript on the page, that in turn submits an invisible FORM on the same page.

- - --- extract end ---"

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1352 to this issue.

VII. DISCLOSURE TIMELINE

11/04/2002 Issue disclosed to iDEFENSE
11/22/2002 Author notified, Per Magne Knutsen (pknutsen@nethut.no)
11/23/2002 Response from Author
11/25/2002 iDEFENSE clients notified
12/16/2002 Public Disclosure

VIII. CREDIT

Steven Dowd (steven.dowd@dowd.co.uk) discovered this vulnerability.



Need more information?
Speak with a service representative at 650-426-5310 Request information online


Contact Us
Please contact sales at
650-426-5310 or
submit your inquiry online.
VeriSign iDefense Security Intelligence Service
Security Intelligence Service Levels
Alerts, Reports, and Briefings
Methodology
Research and Response Teams
Current Intelligence
Topical Research Reports
Vulnerability Advisories
Malicious Code Advisories
Information Center
Security Intelligence Webcasts
Proactive Security Intelligence
Intelligence for Patch Management
Early Threat Warning
Contact Us Careers Legal Notices Privacy Repository ©1995-2007 VeriSign, Inc. All rights reserved.
Products & Services  :  Solutions  :  Support  :  About VeriSign  :  Existing Customers
US Home  :  Worldwide Sites  :  Site Map  :  Search
VeriSign (Nasdaq: VRSN) operates intelligent infrastructure services that enable and protect billions of interactions across the world's voice and data networks. VeriSign offerings include SSL Certificates, two-factor authentication, identity protection, managed network security, public key infrastructure (PKI), security consulting, information management, as well as solutions for intelligent communications, commerce, and content. VeriSign is also building next-generation service offerings for emerging opportunities such as RFID-enabled supply chains, VoIP technology, and digital-content distribution over mobile and broadband networks.