Bugtraq mailing list archives

Re: Price modification in Element InstantShop

From: "Forrest J. Cavalier III" <mibsoft () mibsoftware com>
Date: Tue, 24 Oct 2000 14:12:11 -0400

[snip of exploit which manipulates HTML hidden form inputs]

Regrettably common, I think.

This is just a reminder (with PHP3 code) that one simple technique
to protect against this kind of tampering is to use a signature
to validate the hidden values.

In PHP3, it is as simple as using md5 with a secret, like this:

  $secret = "Some constant, unrevealed string.";

/* On writing out the form */
  echo "<INPUT TYPE=hidden NAME=price VALUE=\"$price\">";
  echo "<INPUT TYPE=hidden NAME=hidden2 VALUE=\"$hidden2\">";
  echo "<INPUT TYPE=hidden NAME=hidden3 VALUE=\"$hidden3\">";
  echo "<INPUT TYPE=hidden NAME=hiddensig VALUE=\"" .
        md5($price . $hidden2 . $hidden3 . $secret) . "\">";

/* On reading in the form */
  if (md5($price . $hidden2 . $hidden3 . $secret) != $hiddensig) {
     /* Tampering detected */
  } else {
     /* Signature matches expected */
  }

Forrest J. Cavalier III, Mib Software  Voice 570-992-8824
http://www.rocketaware.com/ has over 30,000 links to
source, libraries, functions, applications, and documentation.

Current thread:

Price modification in Element InstantShop Zoa_Chien (Oct 25)
- <Possible follow-ups>
- Re: Price modification in Element InstantShop Forrest J. Cavalier III (Oct 25)
  - Re: Price modification in Element InstantShop Glover, Mike (Oct 26)
- Re: Price modification in Element InstantShop JJ Halans (Oct 28)