COMMAND

    Web-Based Shopping Cart Applications

SYSTEMS AFFECTED

    Web-Based Shopping Cart Applications

PROBLEM

    Following  is  based  on  ISS  E-Security  Alert.   There are form
    tampering vulnerabilities  present in  several web-based  shopping
    cart applications.  Over the past couple of years, form  tampering
    vulnerabilities  have  been  discussed  on  security  forums.  ISS
    X-Force has continued  to research this  area due to  the constant
    increase  in  e-commerce.   ISS  X-Force  has  identified   eleven
    shopping cart applications that  are vulnerable to price  changing
    using  form  tampering.  It  is  possible  for an attacker to take
    advantage of  the form  tampering vulnerabilities  and order items
    at a reduced price on an e-commerce site.  The web store  operator
    should verify the price of each item ordered in the shopping  cart
    application database or email invoice.

    Many web-based  shopping cart  applications use  hidden fields  in
    HTML forms to hold parameters for items in an online store.  These
    parameters can include the item's name, weight, quantity,  product
    ID, and price. An application  that bases price on a  hidden field
    in  an  HTML  form  may  be  compromised by this vulnerability. An
    attacker could  modify the  HTML form  on their  local machine  to
    change the price  of the item  and then load  the page into  a web
    browser.  After  submitting the form,  the item is  added to their
    shopping cart  at the  modified price.   Vulnerable shopping  cart
    applications use a hidden field  containing the price of an  item.
    When the value of that hidden field is changed, the shopping  cart
    application  stores  the  changed  price  in  its  database and/or
    e-mail  invoice.   This  vulnerability  can  also  affect   hidden
    discount fields  in the  HTML form.   An attacker  can modify  the
    discount  fields  to  get  a  discount  on  items without actually
    modifying the price in the form.  If a site processes credit  card
    orders in real time,  it may not be  possible to verify the  price
    of each item before the credit card is charged.

    Another situation that can lead to price changing occurs when  the
    price of an  item is listed  in a URL.  When clicking a  link, the
    CGI program will add the item to the shopping cart with the  price
    set in the URL.  Simply changing the price in the URL will add the
    item to  the shopping  cart at  the modified  price. Shopping cart
    software should not rely on the web browser to set the price of an
    item.

    Several of these applications use  a security method based on  the
    HTTP header to  verify the request  is coming from  an appropriate
    site.  The applications tested do  not check to see if there  is a
    referrer in the HTTP header,  so the transaction will continue  if
    the  form  is  submitted  from  a  hard drive.  Microsoft Internet
    Explorer 5.0 does not include a referrer field in the HTTP  header
    if the form is submitted from a page stored on a local drive  (see
    Microsoft Knowledge  Base article  Q178066).   The inclusion  of a
    referrer  field  makes  it  more  difficult  to exploit these form
    tampering  vulnerabilities.   However,  a  referrer  field  can be
    modified,  allowing  an  attacker  to  take  advantage  of   these
    vulnerabilities.

    The ISS X-Force has  identified eleven shopping cart  applications
    that are vulnerable to form  tampering.  ISS X-Force has  notified
    all  the  listed  shopping  cart  software  companies  of the form
    tampering vulnerabilities and will  continue to work with  them to
    ensure their software is secure.   The following is a list of  the
    affected vendors  and their  response to  these vulnerabilities in
    the 45 day alert process.

    Check It Out

        http://ssl.adgrafix.com

    has   completed    securing   their    software   against    these
    vulnerabilities.

    Seven  shopping  cart  software  companies  have  modified   their
    applications to provide a higher level of security:

        @Retail (http://www.atretail.com)
        Cart32 2.6 (http://www.cart32.com)
        CartIt 3.0 (http://www.cartit.com)
        Make-a-Store OrderPage (http://www.make-a-store.com)
        SalesCart (http://www.salescart.com)
        SmartCart (http://www.smartcart.com)
        Shoptron 1.2 (http://www.shoptron.com)

    Three have not yet provided any fix information:

        EasyCart (http://www.easycart.com)
        Intellivend (http://www.intellivend.com)
        WebSiteTool (http://www.websitetool.com)

    Consulting and contracting firms may use shopping cart  techniques
    to create e-commerce pages  for customers, making it  possible for
    many  other  e-commerce  sites  to  be  vulnerable  to  these form
    tampering vulnerabilities.

    For more information on other vulnerabilities that involve  hidden
    form fields in HTML pages, see  the white paper on the MSC  Hidden
    Form Field Vulnerability at

        http://www.miora.com/files/index.htm

    Erik  Gjertsen  was  doing  some  testing  with an application not
    mentioned here, namely  Filemaker (former Claris  Filemaker) which
    is  a  database  application  that  can  be  used  together with a
    web-publishing plugin or the Lasso web server to provide a  simple
    "shopping cart" type  system.  Filemaker  uses _both_ HTML  forms,
    and   URLs   for   the   exchange   of   information  between  the
    web-plugin/lasso and the database backend.  He also tested several
    sites  based  on  this   system,  and  changing  and/or   deleting
    information stored in the database from a web-browser is a trivial
    task, even without modifying forms locally.

    The only  way to  protect a  Filemaker database  is to  set up the
    built-in web security system, so that databases such as stock- and
    price-lists  are  "read-only"  from  web.   That  still leaves the
    order-database unprotected  (you will  need write  access to  that
    database in order  to place orders).   Some tests on  random sites
    picked from  Filemakers "Happy  customers" list  revealed that all
    the tested  sites (admittedly  not that  many...) were vulnerable.
    Changing  prices  and  other  database  information  could be very
    easily accomplished.

SOLUTION

    If  an  e-commerce  site  is  vulnerable  to  price  changing, the
    shopping cart software should be upgraded or changed.  If this  is
    not possible,  verify the  price of  each item  in every completed
    order to ensure that no one is exploiting this vulnerability.

    A  technique  that  fixes  the  form  tampering  vulnerability  is
    described in  the September  1998 issue  of Web  Techniques in  an
    article written by Dr. Lincoln D. Stein. The article is  available
    at:

        http://www.webtechniques.com/archives/1998/09/webm/

    In the article, Dr. Stein describes a technique that prevents HTML
    forms from being modified without knowledge. By computing MD5 sums
    of a secret  key and form  data before and  after form submission,
    there is a  method to verify  that no tampering  has occurred. All
    MD5 sum discrepancies  can be output  to a log  file that includes
    the IP address of the attacker's machine.