// back

Arbitrary Price Manipulation in CartMan Shopping Software

12.16.02

BACKGROUND

Per Magne Knutsen's CartMan is a PHP-based multilingual, standalone web-based shopping cart application. More information is available at http://www.cartman.nethut.no .

DESCRIPTION

When adding items to the CartMan shopping cart, it uses a URL similar in structure to the following:

cartman.php?action=add&id=1234&descr=My%20Product&price=250&quantity=1

The problem is an attacker can generate such a request by hand and set the price parameter (price=250 in the above URL) to any price desired. The following rewritten URL will add the "My Product" item listed as $250 to the attackers shopping cart at a price of $1:

cartman.php?action=add&id=1234&descr=My%20Product&price=1&quantity=1

ANALYSIS

In cases where software is made available for download immediately after automated credit card validation, remote attackers can purchase such software for any price desired.

DETECTION

CartMan 1.04 is affected. Previous versions may be susceptible as well.

VENDOR RESPONSE

Knutsen said, "A temporary fix that conceals how CartMan actually works has been suggested to my customers. The "fix" is available in the documentation file of an up-coming update of CartMan. Please see http://www.cartman.nethut.no/development/documentation.html . The relevant section is in the section Frequently Asked Questions, and reads like this:

- - --- extract start ---

"How can I create a product-link to CartMan without the price and product ID showing in the browser's address field?" You can also pass information to CartMan via a FORM in your webpage, not just by links. Remember to include all the fields. An example,
that also uses JavaScript is used in the index.html page that comes with this distribution. Click on the Dreamweaver link to see it in action. The link calls a JavaScript on the page, that in turn submits an invisible FORM on the same page.

- - --- extract end ---"

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1352 to this issue.

DISCLOSURE TIMELINE

11/04/2002 Issue disclosed to iDEFENSE
11/22/2002 Author notified, Per Magne Knutsen (pknutsen@nethut.no)
11/23/2002 Response from Author
11/25/2002 iDEFENSE clients notified
12/16/2002 Public Disclosure

CREDIT

Steven Dowd (steven.dowd@dowd.co.uk) discovered this vulnerability.