Re: Another hole in Cart32

[mike () SECTOR001 ORG (Michael Form)]

At 01:36 PM 5/22/00 +0000, bunny_69_1 () HOTMAIL COM wrote:
> Description:
> -----------
> When a user clicks on a product he's interested in, he sees
> a form where he can add this product to his cart, the
> problem is that the price of the product is passed to the
> Cart32 system by a "hidden" HTML tag named Price.
> A simple edit of this field will permit a malicious attacker
> to buy products in the desired price (probably $0).

This "hole" is avoided by setting "Domain(s) to Accept Orders" in the
'Advanced' Tab. If the referral URL does not match one of those domains
provided, the order will not go through. To quote from Cart32 v3.0 Help:

Domain(s) To Accept Orders
This is a list of domain names or ip addresses in which to accept orders.
This would be your website. This prevents a user from downloading a page
containing product information and then changing the price or other
parameter and then submitting the order. You can one domain name or several
separated by commas. Ex. www.cart32.com or www.cart32.com, cart32.com,
207.150.83.60
(END QUOTE)

Of course, there are ways to go around the referral check. Which is why the
"Require POST" option exists, which means the form must be submitted using
'POST' and not 'GET'.

Again, there are ways to avoid that check (for example, creating your own
simplistic "web browser"). However, all Cart32 users should skim through
the orders to see any noticeable price errors.