Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [xforce () iss net: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications]
From: erik () SUBNETT NO (Erik Gjertsen)
Date: Thu, 3 Feb 2000 14:42:18 +0000

        I've been doing some testing with an application not mentioned
here, namely Filemaker (former Claris Filemaker) which is a database
application that can be used together with a web-publishing plugin or the
Lasso web server to provide a simple "shopping cart" type system.

Filemaker uses _both_ HTML forms, and URLs for the exchange of information
between the web-plugin/lasso and the database backend. I have tested
several sites based on this system, and changing and/or deleting
information stored in the database from a web-browser is a trivial task,
even without modifying forms locally.

AFAIK, Filemaker & lasso/web-companion does not provide any method of
checking the referrerer field - in fact, only a few variables passed by
the browser can be checked - leaving those systems (and according to
Filemaker, that's quite a few) very vulnerable.

The only way to protect a Filemaker database is to set up the built-in web
security system, so that databases such as stock- and price-lists are
"read-only" from web. That still leaves the order-database unprotected
(you will need write access to that database in order to place orders).

Some tests on random sites picked from Filemakers "Happy customers" list
revealed that all the tested sites (admittedly not that many...) were
vulnerable. Changing prices and other database information could be very
easily accomplished.

I am aware that Filemaker is not really an ideal application for this
purpose at all, but since there are so many "Happy Customers" using it for
exactly that , I found it worth mentioning.

On Tue, 1 Feb 2000, Patrick Oonk wrote:

Date: Tue, 1 Feb 2000 20:20:34 +0100
From: Patrick Oonk <patrick () PINE NL>
Subject: [xforce () iss net: ISSalert: ISS E-Security Alert: Form Tampering
                Vulnerabilities in Several Web-Based Shopping Cart

----- Forwarded message from X-Force <xforce () iss net> -----

Delivered-To: alert-out-link () iss net
Date: Tue, 1 Feb 2000 11:08:50 -0500 (EST)
From: X-Force <xforce () iss net>
To: alert () iss net
Subject: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart 
Precedence: bulk
Reply-To: X-Force <xforce () iss net>
X-Loop: alert

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo () iss net  Contact alert-owner () iss net for help with any problems!


ISS E-Security Alert
February 1, 2000

Form Tampering Vulnerabilities in Several Web-Based Shopping Cart


There are form tampering vulnerabilities present in several web-based
shopping cart applications. Over the past couple of years, form tampering
vulnerabilities have been discussed on security forums. ISS X-Force has
continued to research this area due to the constant increase in e-commerce.
ISS X-Force has identified eleven shopping cart applications that are
vulnerable to price changing using form tampering. It is possible for an
attacker to take advantage of the form tampering vulnerabilities and order
items at a reduced price on an e-commerce site. The web store operator
should verify the price of each item ordered in the shopping cart
application database or email invoice.


Many web-based shopping cart applications use hidden fields in HTML forms to
hold parameters for items in an online store. These parameters can include
the item's name, weight, quantity, product ID, and price. An application
that bases price on a hidden field in an HTML form may be compromised by
this vulnerability. An attacker could modify the HTML form on their local
machine to change the price of the item and then load the page into a web
browser. After submitting the form, the item is added to their shopping cart
at the modified price. Vulnerable shopping cart applications use a hidden
field containing the price of an item. When the value of that hidden field
is changed, the shopping cart application stores the changed price in its
database and/or e-mail invoice. This vulnerability can also affect hidden
discount fields in the HTML form. An attacker can modify the discount fields
to get a discount on items without actually modifying the price in the form.
If a site processes credit card orders in real time, it may not be possible
to verify the price of each item before the credit card is charged.

Another situation that can lead to price changing occurs when the price of
an item is listed in a URL. When clicking a link, the CGI program will add
the item to the shopping cart with the price set in the URL. Simply
changing the price in the URL will add the item to the shopping cart at
the modified price. Shopping cart software should not rely on the web
browser to set the price of an item.

Several of these applications use a security method based on the HTTP header
to verify the request is coming from an appropriate site. The applications
tested do not check to see if there is a referrer in the HTTP header, so the
transaction will continue if the form is submitted from a hard drive.
Microsoft Internet Explorer 5.0 does not include a referrer field in the
HTTP header if the form is submitted from a page stored on a local drive
(see Microsoft Knowledge Base article Q178066). The inclusion of a referrer
field makes it more difficult to exploit these form tampering
vulnerabilities. However, a referrer field can be modified, allowing an
attacker to take advantage of these vulnerabilities.

The ISS X-Force has identified eleven shopping cart applications that are
vulnerable to form tampering. ISS X-Force has notified all the listed
shopping cart software companies of the form tampering vulnerabilities and
will continue to work with them to ensure their software is secure. The
following is a list of the affected vendors and their response to these
vulnerabilities in the 45 day alert process.

Check It Out (http://ssl.adgrafix.com) has completed securing their software
against these vulnerabilities.

Seven shopping cart software companies have modified their applications to
provide a higher level of security:
@Retail (http://www.atretail.com)
Cart32 2.6 (http://www.cart32.com)
CartIt 3.0 (http://www.cartit.com)
Make-a-Store OrderPage (http://www.make-a-store.com)
SalesCart (http://www.salescart.com)
SmartCart (http://www.smartcart.com)
Shoptron 1.2 (http://www.shoptron.com)

Three have not yet provided any fix information:
EasyCart (http://www.easycart.com)
Intellivend (http://www.intellivend.com)
WebSiteTool (http://www.websitetool.com)

Consulting and contracting firms may use shopping cart techniques to create
e-commerce pages for customers, making it possible for many other e-commerce
sites to be vulnerable to these form tampering vulnerabilities.

Additional Information:

For more information on other vulnerabilities that involve hidden form
fields in HTML pages, see the white paper on the MSC Hidden Form Field
Vulnerability at http://www.miora.com/files/index.htm.

In April 1999 the BugTraq mailing list hosted a discussion
about a different type of shopping cart vulnerability that would allow
attackers to expose users' credit card and order information to the
public. For more information on this go to:
Pine.LNX.3.96.990420132956.13470B-100000 () gonzo blarg 
 () gonzo blarg net</A>


If an e-commerce site is vulnerable to price changing, the shopping cart
software should be upgraded or changed. If this is not possible, verify the
price of each item in every completed order to ensure that no one is
exploiting this vulnerability.

A technique that fixes the form tampering vulnerability is described in the
September 1998 issue of Web Techniques in an article written by Dr. Lincoln
D. Stein. The article is available at:
In the article, Dr. Stein describes a technique that prevents HTML forms
from being modified without knowledge. By computing MD5 sums of a secret key
and form data before and after form submission, there is a method to
verify that no tampering has occurred. All MD5 sum discrepancies can be
output to a log file that includes the IP address of the attacker's

ISS X-Force recommends contacting ISS' Consulting and Education Group (CEG)
to perform a security assessment against your e-commerce solution to ensure
and validate the security of your e-business applications. For more
information, please  contact CEG at <mailto:ceg () iss net> or

About ISS
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite(tm) security software,
comprehensive ePatrol(tm) monitoring services and industry-leading
expertise, ISS serves as its customers' trusted security provider protecting
digital assets and ensuring the availability, confidentiality and integrity
of computer systems and information critical to e-business success. ISS'
security management solutions protect more than 5,000 customers including 21
of the 25 largest U.S. commercial banks, 9 of the 10 largest
telecommunications companies and over 35 government agencies. Founded in
1994, ISS is headquartered in Atlanta, GA, with additional offices
throughout North America and international operations in Asia, Australia,
Europe and Latin America. For more information, visit the ISS Web site at
www.iss.net or call 888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent
of the X-Force. If you wish to reprint the whole or any part of this Alert
in any other medium excluding electronic medium, please e-mail
xforce () iss net for permission.


The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force <xforce () iss net>
of Internet Security Systems, Inc.

Version: 2.6.3a
Charset: noconv


----- End forwarded message -----

 Patrick Oonk - PO1-6BONE - patrick () pine nl - www.pine.nl/~patrick
 Pine Internet B.V.      PINE31337-RIPE        PGP key ID BE7497F1
 Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/
 ----    Pine Security Digest - http://security.nl/ (Dutch)   ----
 Excuse of the day: Your excuse is: The keyboard isn't plugged in

---[ erik gjertsen ]--------- -    - -      -          -

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]