COMMAND

    CyberOffice Shopping Cart

SYSTEMS AFFECTED

    CyberOffice Shopping Cart v2

PROBLEM

    Following  is  based  on  a  Delphis  Consulting Security Advisory
    DST2K0036.   Delphis  Consulting  Internet  Security  Team (DCIST)
    discovered  the  following  vulnerability  in CyberOffice Shopping
    Cart v2 under Windows NT.

    It  is  possible  to  modify  the  unit  price  of  items as it is
    submitted as a hidden field as part of the order form.  By  saving
    a copy of the order form  down locally and modify the value  it is
    possible to submit a order form with a zero or even negative price
    value.  Example:

        <input type="hidden" name="Price" value="0">

    The vendor solutions relies on referrers and is easily bypassed.

SOLUTION

    Currently  Delphis  recommend  the  following:  make  transactions
    non-realtime (i.e. Manual authorisation).

    SmartWin is aware of the  problem and has provided solution  since
    about 6 months ago.   Under Global / System  Settings of the  Shop
    Manager, you can  set Authorized URL(s)  to specify the  Web sites
    (folders)  where  the  shopping  pages  reside.   This effectively
    stops  the  problem  you  reported  in  this  article.  Typically,
    merchants will switch on the option for real-time services.