OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Price modification in Element InstantShop
From: Zoa_Chien (zoachienSECURAX.ORG)
Date: Tue Oct 24 2000 - 04:50:29 CDT


=====================================================================
Securax-SA-07 Security Advisory
belgian.networking.security Dutch
=====================================================================
Topic: Price modification in Element InstantShop
Announced: 2000-10-23
Updated: 2000-10-23
O/S: Microsoft Windows NT 4 Server
Severity: High - Price modification possible
vendor URL: www.element.be
cgi-bin: /[bin-dir]/add_2_basket.asp
=====================================================================

THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE
ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY
IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE
ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS
INFORMATION FOR ANY PURPOSE.

I. Background
It is possible to modify the unit price of items as it is submitted
as a hidden field as part of the order form. By saving a copy of
the order form down locally and modify the value it is possible to
submit a order form with a zero or even negative price value.

II. Impact
Example:
<INPUT TYPE = HIDDEN NAME = "product" VALUE = "blah-blah">
<INPUT TYPE = HIDDEN NAME = "name" VALUE = "blah-blah" >
<INPUT TYPE = HIDDEN NAME = "price" VALUE = "1">
--> change value this to anything you like.
<INPUT TYPE = HIDDEN NAME = "weight" VALUE = "1">
<INPUT TYPE = HIDDEN NAME = "shopperid" VALUE = "">
<INPUT TYPE = HIDDEN NAME = "departement" VALUE = "11">
<INPUT TYPE = HIDDEN NAME = "index" VALUE = "1">

III. Recommendation
The vendor has been informed, but in the meanwhile we recommend
using non-realtime transactions ( ie: manual authorisation ). And
pay attention for a BMW going over the counter for $10 :-)

IV. Credits
<frazzle_frecklehehe.com> and for the e-shop hunting spree, <zoachien
securax.org> for the HTML.

=====================================================================
For more information infosecurax.org
Website http://www.securax.org
Advisories/Text http://www.securax.org/pers
---------------------------------------------------------------------

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net