TUCoPS :: Web :: e-commerce, shopping carts :: eis.htm

Element InstantShop - modify unit price
Vulnerability

    Element InstantShop

Affected

    Element InstantShop

Description

    Following is based  on a Securax-SA-07  Security Advisory.   It is
    possible to modify the unit price  of items as it is submitted  as
    a hidden field  as part of  the order form.   By saving a  copy of
    the order form  down locally and  modify the value  it is possible
    to submit a order form with a zero or even negative price value.

    Example:

        <INPUT TYPE = HIDDEN NAME = "product" VALUE = "blah-blah">
        <INPUT TYPE = HIDDEN NAME = "name" VALUE = "blah-blah" >
        <INPUT TYPE = HIDDEN NAME = "price" VALUE = "1">
        --> change value this to anything you like.
        <INPUT TYPE = HIDDEN NAME = "weight" VALUE = "1">
        <INPUT TYPE = HIDDEN NAME = "shopperid" VALUE = "">
        <INPUT TYPE = HIDDEN NAME = "departement" VALUE = "11">
        <INPUT TYPE = HIDDEN NAME = "index" VALUE = "1">

Solution

    A regretable  situation, but  vendor has  fixed this  issue in all
    concerning shops.   They do get  the price from  the database now,
    and no longer take it from the formfield from the previous page.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH