COMMAND

    Element InstantShop

SYSTEMS AFFECTED

    Element InstantShop

PROBLEM

    Following is based  on a Securax-SA-07  Security Advisory.   It is
    possible to modify the unit price  of items as it is submitted  as
    a hidden field  as part of  the order form.   By saving a  copy of
    the order form  down locally and  modify the value  it is possible
    to submit a order form with a zero or even negative price value.

    Example:

        <INPUT TYPE = HIDDEN NAME = "product" VALUE = "blah-blah">
        <INPUT TYPE = HIDDEN NAME = "name" VALUE = "blah-blah" >
        <INPUT TYPE = HIDDEN NAME = "price" VALUE = "1">
        --> change value this to anything you like.
        <INPUT TYPE = HIDDEN NAME = "weight" VALUE = "1">
        <INPUT TYPE = HIDDEN NAME = "shopperid" VALUE = "">
        <INPUT TYPE = HIDDEN NAME = "departement" VALUE = "11">
        <INPUT TYPE = HIDDEN NAME = "index" VALUE = "1">

SOLUTION

    A regretable  situation, but  vendor has  fixed this  issue in all
    concerning shops.   They do get  the price from  the database now,
    and no longer take it from the formfield from the previous page.