Bugtraq mailing list archives

Price modification in Element InstantShop

From: Zoa_Chien <zoachien () SECURAX ORG>
Date: Tue, 24 Oct 2000 11:50:45 +0200

=====================================================================
Securax-SA-07 Security Advisory
belgian.networking.security Dutch
=====================================================================
Topic: Price modification in Element InstantShop
Announced: 2000-10-23
Updated: 2000-10-23
O/S: Microsoft Windows NT 4 Server
Severity: High - Price modification possible
vendor URL: www.element.be
cgi-bin: /[bin-dir]/add_2_basket.asp
=====================================================================

THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE
ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY
IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE
ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS
INFORMATION FOR ANY PURPOSE.



I. Background
It is possible to modify the unit price of items as it is submitted
as a hidden field as part of the order form. By saving a copy of
the order form down locally and modify the value it is possible to
submit a order form with a zero or even negative price value.



II. Impact
Example:
<INPUT TYPE = HIDDEN NAME = "product" VALUE = "blah-blah">
<INPUT TYPE = HIDDEN NAME = "name" VALUE = "blah-blah" >
<INPUT TYPE = HIDDEN NAME = "price" VALUE = "1">
--> change value this to anything you like.
<INPUT TYPE = HIDDEN NAME = "weight" VALUE = "1">
<INPUT TYPE = HIDDEN NAME = "shopperid" VALUE = "">
<INPUT TYPE = HIDDEN NAME = "departement" VALUE = "11">
<INPUT TYPE = HIDDEN NAME = "index" VALUE = "1">


III. Recommendation
The vendor has been informed, but in the meanwhile we recommend
using non-realtime transactions ( ie: manual authorisation ). And
pay attention for a BMW going over the counter for $10 :-)



IV. Credits
<frazzle_freckle () hehe com> and for the e-shop hunting spree, <zoachien
@securax.org> for the HTML.



=====================================================================
For more information info () securax org
Website http://www.securax.org
Advisories/Text http://www.securax.org/pers
---------------------------------------------------------------------

Current thread:

Price modification in Element InstantShop Zoa_Chien (Oct 25)
- <Possible follow-ups>
- Re: Price modification in Element InstantShop Forrest J. Cavalier III (Oct 25)
  - Re: Price modification in Element InstantShop Glover, Mike (Oct 26)
- Re: Price modification in Element InstantShop JJ Halans (Oct 28)