|
Vulnerability CyberOffice Shopping Cart Affected CyberOffice Shopping Cart v2 Description Following is based on a Delphis Consulting Security Advisory DST2K0036. Delphis Consulting Internet Security Team (DCIST) discovered the following vulnerability in CyberOffice Shopping Cart v2 under Windows NT. It is possible to modify the unit price of items as it is submitted as a hidden field as part of the order form. By saving a copy of the order form down locally and modify the value it is possible to submit a order form with a zero or even negative price value. Example: <input type="hidden" name="Price" value="0"> The vendor solutions relies on referrers and is easily bypassed. Solution Currently Delphis recommend the following: make transactions non-realtime (i.e. Manual authorisation). SmartWin is aware of the problem and has provided solution since about 6 months ago. Under Global / System Settings of the Shop Manager, you can set Authorized URL(s) to specify the Web sites (folders) where the shopping pages reside. This effectively stops the problem you reported in this article. Typically, merchants will switch on the option for real-time services.