COMMAND
Web-Based Shopping Cart Applications
SYSTEMS AFFECTED
Web-Based Shopping Cart Applications
PROBLEM
Following is based on ISS E-Security Alert. There are form
tampering vulnerabilities present in several web-based shopping
cart applications. Over the past couple of years, form tampering
vulnerabilities have been discussed on security forums. ISS
X-Force has continued to research this area due to the constant
increase in e-commerce. ISS X-Force has identified eleven
shopping cart applications that are vulnerable to price changing
using form tampering. It is possible for an attacker to take
advantage of the form tampering vulnerabilities and order items
at a reduced price on an e-commerce site. The web store operator
should verify the price of each item ordered in the shopping cart
application database or email invoice.
Many web-based shopping cart applications use hidden fields in
HTML forms to hold parameters for items in an online store. These
parameters can include the item's name, weight, quantity, product
ID, and price. An application that bases price on a hidden field
in an HTML form may be compromised by this vulnerability. An
attacker could modify the HTML form on their local machine to
change the price of the item and then load the page into a web
browser. After submitting the form, the item is added to their
shopping cart at the modified price. Vulnerable shopping cart
applications use a hidden field containing the price of an item.
When the value of that hidden field is changed, the shopping cart
application stores the changed price in its database and/or
e-mail invoice. This vulnerability can also affect hidden
discount fields in the HTML form. An attacker can modify the
discount fields to get a discount on items without actually
modifying the price in the form. If a site processes credit card
orders in real time, it may not be possible to verify the price
of each item before the credit card is charged.
Another situation that can lead to price changing occurs when the
price of an item is listed in a URL. When clicking a link, the
CGI program will add the item to the shopping cart with the price
set in the URL. Simply changing the price in the URL will add the
item to the shopping cart at the modified price. Shopping cart
software should not rely on the web browser to set the price of an
item.
Several of these applications use a security method based on the
HTTP header to verify the request is coming from an appropriate
site. The applications tested do not check to see if there is a
referrer in the HTTP header, so the transaction will continue if
the form is submitted from a hard drive. Microsoft Internet
Explorer 5.0 does not include a referrer field in the HTTP header
if the form is submitted from a page stored on a local drive (see
Microsoft Knowledge Base article Q178066). The inclusion of a
referrer field makes it more difficult to exploit these form
tampering vulnerabilities. However, a referrer field can be
modified, allowing an attacker to take advantage of these
vulnerabilities.
The ISS X-Force has identified eleven shopping cart applications
that are vulnerable to form tampering. ISS X-Force has notified
all the listed shopping cart software companies of the form
tampering vulnerabilities and will continue to work with them to
ensure their software is secure. The following is a list of the
affected vendors and their response to these vulnerabilities in
the 45 day alert process.
Check It Out
http://ssl.adgrafix.com
has completed securing their software against these
vulnerabilities.
Seven shopping cart software companies have modified their
applications to provide a higher level of security:
@Retail (http://www.atretail.com)
Cart32 2.6 (http://www.cart32.com)
CartIt 3.0 (http://www.cartit.com)
Make-a-Store OrderPage (http://www.make-a-store.com)
SalesCart (http://www.salescart.com)
SmartCart (http://www.smartcart.com)
Shoptron 1.2 (http://www.shoptron.com)
Three have not yet provided any fix information:
EasyCart (http://www.easycart.com)
Intellivend (http://www.intellivend.com)
WebSiteTool (http://www.websitetool.com)
Consulting and contracting firms may use shopping cart techniques
to create e-commerce pages for customers, making it possible for
many other e-commerce sites to be vulnerable to these form
tampering vulnerabilities.
For more information on other vulnerabilities that involve hidden
form fields in HTML pages, see the white paper on the MSC Hidden
Form Field Vulnerability at
http://www.miora.com/files/index.htm
Erik Gjertsen was doing some testing with an application not
mentioned here, namely Filemaker (former Claris Filemaker) which
is a database application that can be used together with a
web-publishing plugin or the Lasso web server to provide a simple
"shopping cart" type system. Filemaker uses _both_ HTML forms,
and URLs for the exchange of information between the
web-plugin/lasso and the database backend. He also tested several
sites based on this system, and changing and/or deleting
information stored in the database from a web-browser is a trivial
task, even without modifying forms locally.
The only way to protect a Filemaker database is to set up the
built-in web security system, so that databases such as stock- and
price-lists are "read-only" from web. That still leaves the
order-database unprotected (you will need write access to that
database in order to place orders). Some tests on random sites
picked from Filemakers "Happy customers" list revealed that all
the tested sites (admittedly not that many...) were vulnerable.
Changing prices and other database information could be very
easily accomplished.
SOLUTION
If an e-commerce site is vulnerable to price changing, the
shopping cart software should be upgraded or changed. If this is
not possible, verify the price of each item in every completed
order to ensure that no one is exploiting this vulnerability.
A technique that fixes the form tampering vulnerability is
described in the September 1998 issue of Web Techniques in an
article written by Dr. Lincoln D. Stein. The article is available
at:
http://www.webtechniques.com/archives/1998/09/webm/
In the article, Dr. Stein describes a technique that prevents HTML
forms from being modified without knowledge. By computing MD5 sums
of a secret key and form data before and after form submission,
there is a method to verify that no tampering has occurred. All
MD5 sum discrepancies can be output to a log file that includes
the IP address of the attacker's machine.