|
Vulnerability Web-Based Shopping Cart Applications Affected Web-Based Shopping Cart Applications Description Following is based on ISS E-Security Alert. There are form tampering vulnerabilities present in several web-based shopping cart applications. Over the past couple of years, form tampering vulnerabilities have been discussed on security forums. ISS X-Force has continued to research this area due to the constant increase in e-commerce. ISS X-Force has identified eleven shopping cart applications that are vulnerable to price changing using form tampering. It is possible for an attacker to take advantage of the form tampering vulnerabilities and order items at a reduced price on an e-commerce site. The web store operator should verify the price of each item ordered in the shopping cart application database or email invoice. Many web-based shopping cart applications use hidden fields in HTML forms to hold parameters for items in an online store. These parameters can include the item's name, weight, quantity, product ID, and price. An application that bases price on a hidden field in an HTML form may be compromised by this vulnerability. An attacker could modify the HTML form on their local machine to change the price of the item and then load the page into a web browser. After submitting the form, the item is added to their shopping cart at the modified price. Vulnerable shopping cart applications use a hidden field containing the price of an item. When the value of that hidden field is changed, the shopping cart application stores the changed price in its database and/or e-mail invoice. This vulnerability can also affect hidden discount fields in the HTML form. An attacker can modify the discount fields to get a discount on items without actually modifying the price in the form. If a site processes credit card orders in real time, it may not be possible to verify the price of each item before the credit card is charged. Another situation that can lead to price changing occurs when the price of an item is listed in a URL. When clicking a link, the CGI program will add the item to the shopping cart with the price set in the URL. Simply changing the price in the URL will add the item to the shopping cart at the modified price. Shopping cart software should not rely on the web browser to set the price of an item. Several of these applications use a security method based on the HTTP header to verify the request is coming from an appropriate site. The applications tested do not check to see if there is a referrer in the HTTP header, so the transaction will continue if the form is submitted from a hard drive. Microsoft Internet Explorer 5.0 does not include a referrer field in the HTTP header if the form is submitted from a page stored on a local drive (see Microsoft Knowledge Base article Q178066). The inclusion of a referrer field makes it more difficult to exploit these form tampering vulnerabilities. However, a referrer field can be modified, allowing an attacker to take advantage of these vulnerabilities. The ISS X-Force has identified eleven shopping cart applications that are vulnerable to form tampering. ISS X-Force has notified all the listed shopping cart software companies of the form tampering vulnerabilities and will continue to work with them to ensure their software is secure. The following is a list of the affected vendors and their response to these vulnerabilities in the 45 day alert process. Check It Out http://ssl.adgrafix.com has completed securing their software against these vulnerabilities. Seven shopping cart software companies have modified their applications to provide a higher level of security: @Retail (http://www.atretail.com) Cart32 2.6 (http://www.cart32.com) CartIt 3.0 (http://www.cartit.com) Make-a-Store OrderPage (http://www.make-a-store.com) SalesCart (http://www.salescart.com) SmartCart (http://www.smartcart.com) Shoptron 1.2 (http://www.shoptron.com) Three have not yet provided any fix information: EasyCart (http://www.easycart.com) Intellivend (http://www.intellivend.com) WebSiteTool (http://www.websitetool.com) Consulting and contracting firms may use shopping cart techniques to create e-commerce pages for customers, making it possible for many other e-commerce sites to be vulnerable to these form tampering vulnerabilities. For more information on other vulnerabilities that involve hidden form fields in HTML pages, see the white paper on the MSC Hidden Form Field Vulnerability at http://www.miora.com/files/index.htm Erik Gjertsen was doing some testing with an application not mentioned here, namely Filemaker (former Claris Filemaker) which is a database application that can be used together with a web-publishing plugin or the Lasso web server to provide a simple "shopping cart" type system. Filemaker uses _both_ HTML forms, and URLs for the exchange of information between the web-plugin/lasso and the database backend. He also tested several sites based on this system, and changing and/or deleting information stored in the database from a web-browser is a trivial task, even without modifying forms locally. The only way to protect a Filemaker database is to set up the built-in web security system, so that databases such as stock- and price-lists are "read-only" from web. That still leaves the order-database unprotected (you will need write access to that database in order to place orders). Some tests on random sites picked from Filemakers "Happy customers" list revealed that all the tested sites (admittedly not that many...) were vulnerable. Changing prices and other database information could be very easily accomplished. Solution If an e-commerce site is vulnerable to price changing, the shopping cart software should be upgraded or changed. If this is not possible, verify the price of each item in every completed order to ensure that no one is exploiting this vulnerability. A technique that fixes the form tampering vulnerability is described in the September 1998 issue of Web Techniques in an article written by Dr. Lincoln D. Stein. The article is available at: http://www.webtechniques.com/archives/1998/09/webm/ In the article, Dr. Stein describes a technique that prevents HTML forms from being modified without knowledge. By computing MD5 sums of a secret key and form data before and after form submission, there is a method to verify that no tampering has occurred. All MD5 sum discrepancies can be output to a log file that includes the IP address of the attacker's machine.