Per Magne Knutsen's CartMan is a PHP-based multilingual, standalone web-based shopping cart application. More information is available at http://www.cartman.nethut.no .
When adding items to the CartMan shopping cart, it uses a URL similar in structure to the following:
The problem is an attacker can generate such a request by hand and set the price parameter (price=250 in the above URL) to any price desired. The following rewritten URL will add the "My Product" item listed as $250 to the attackers shopping cart at a price of $1:
In cases where software is made available for download immediately after automated credit card validation, remote attackers can purchase such software for any price desired.
CartMan 1.04 is affected. Previous versions may be susceptible as well.
Knutsen said, "A temporary fix that conceals how CartMan actually works has been suggested to my customers. The "fix" is available in the documentation file of an up-coming update of CartMan. Please see http://www.cartman.nethut.no/development/documentation.html . The relevant section is in the section Frequently Asked Questions, and reads like this:
- - --- extract start ---
"How can I create a product-link to CartMan without the price and product ID showing in the browser's address field?" You can also pass information to CartMan via a FORM in your webpage, not just by links. Remember to include all the fields. An example,
- - --- extract end ---"
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1352 to this issue.
11/04/2002 Issue disclosed to iDEFENSE
11/22/2002 Author notified, Per Magne Knutsen (firstname.lastname@example.org)
11/23/2002 Response from Author
11/25/2002 iDEFENSE clients notified
12/16/2002 Public Disclosure
Steven Dowd (email@example.com) discovered this vulnerability.