Another hole in Cart32

[bunny_69_1 () HOTMAIL COM (bunny_69_1 () HOTMAIL COM)]

Bunny69 - Security and more
bunny_69_1 () hotmail com
------------------------------------------------------------
Discovered: 5/22/2000 16:33
By: Bunny69

Short Info:
-----------
While messing around with Cart32, I discovered the following
bug. (I must say that the existance of such bugs in eCarts
is well known, but as far as I know it was never discovered
in Cart32)

Description:
-----------
When a user clicks on a product he's interested in, he sees
a form where he can add this product to his cart, the
problem is that the price of the product is passed to the
Cart32 system by a "hidden" HTML tag named Price.
A simple edit of this field will permit a malicious attacker
to buy products in the desired price (probably $0).

Versions Affected:
------------------
Probably all versions. 
I checked versions 2.5a and 3.0.

Exploit:
-------
Exploiting this hole is extremly easy, one should simply
save the web page of the desired product in his hard drive,
edit the HTML source, change the price to 0, browse the page
again and submit the form - voila, a nice new Porche 911 for
the nice price of $1.99 :)

Credits
-------
Bunny69, Hiv.

Thanks
------
rlogin, my mom.

Disclaimer
-----------
The information submitted above is for educational use only,
any illegal use of this information is illegal and will get
you busted, don't be a retard read this page, learn new
stuff and never ever use this to harm people.

------------------------------------------------------------
Another nice hole discovered by Bunny69
bunny_69_1 () hotmail com