Public Vulnerability Reports

Arbitrary Price Manipulation in CartMan Shopping Software



Per Magne Knutsen's CartMan is a PHP-based multilingual, standalone web-based shopping cart application. More information is available at .


When adding items to the CartMan shopping cart, it uses a URL similar in structure to the following:


The problem is an attacker can generate such a request by hand and set the price parameter (price=250 in the above URL) to any price desired. The following rewritten URL will add the "My Product" item listed as $250 to the attackers shopping cart at a price of $1:



In cases where software is made available for download immediately after automated credit card validation, remote attackers can purchase such software for any price desired.


CartMan 1.04 is affected. Previous versions may be susceptible as well.


Knutsen said, "A temporary fix that conceals how CartMan actually works has been suggested to my customers. The "fix" is available in the documentation file of an up-coming update of CartMan. Please see . The relevant section is in the section Frequently Asked Questions, and reads like this:

- - --- extract start ---

"How can I create a product-link to CartMan without the price and product ID showing in the browser's address field?" You can also pass information to CartMan via a FORM in your webpage, not just by links. Remember to include all the fields. An example,
that also uses JavaScript is used in the index.html page that comes with this distribution. Click on the Dreamweaver link to see it in action. The link calls a JavaScript on the page, that in turn submits an invisible FORM on the same page.

- - --- extract end ---"


The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1352 to this issue.


11/04/2002 Issue disclosed to iDEFENSE
11/22/2002 Author notified, Per Magne Knutsen (
11/23/2002 Response from Author
11/25/2002 iDEFENSE clients notified
12/16/2002 Public Disclosure


Steven Dowd ( discovered this vulnerability.