COMMAND

	ShopFactory shopping cart price manipulation

SYSTEMS AFFECTED

	All up to 5.8 ?

PROBLEM

	In Trust Factory Security advisory [TF20021004] of Richard van den  Berg
	[richard@trust-factory.com] :
	
	 http://www.trust-factory.com/TF20021004.html
	
	
	--snip--
	
	The contents of shopping carts used by shops  created  with  ShopFactory
	software  can  be  modified  at  will  by  customers.  One   interesting
	vulnerablility is the ability to maliciously modify prices of  items  in
	the shopping carts. Tests show that  the  modifications  are  maintained
	throughout the billing process.
	
	 Technical details:
	 ==================
	
	Shopping carts created with ShopFactory software  optionally  store  all
	contents of the cart in a cookie at the browser. This  includes  product
	IDs, descriptions and prices. Upon revisiting the store, this cookie  is
	used to fill the cart for the new session. At checkout the  contents  of
	this new cart is used to enter the order into the  shop's  delivery  and
	billing system.
	
	If the shop owner has set "Remember Shopping  cart  for  (days)"  to  0,
	cookies are not created by the shop. Prior to version  5.8  cookies  are
	being read even when the shop does not create them. If a malicious  user
	manually creates a cookie with incorrect  pricing,  it  would  still  be
	used to fill the cart for a new shopping session.
	
	--snap--
	
	 Update (05 March 2003)
	 ======
	
	Maarten [secfocus@hartsuijker.com] adds :
	
	The main problem is that all actions that  are  trusted  to  the  client
	side of the configuration are also adjustable by the maintainer of  that
	side. Since the pricing of products within the sides is trusted  to  the
	client, a customer of a shop  that  is  using  Shopfactory  is  able  to
	determine his own price for the product he wants to  order.  Within  the
	site, there are three main points where altering the price is possible:
	
	  1.. Before adding a product to your shopping cart, the price can be
	altered to a preferred value.  The  price  that  will  be  send  to  the
	shopping cart can be found in a hidden form field.
	
	  2.. When adding a product to your shopping cart, the price is stored in a
	cookie. As of version 5.8, this cookie has  been  "encrypted".  However,
	the "encryption" and "decryption" of  the  cookie  also  happens  client
	side. The algorithm  can  be  found  in  the  JavaScript  code  that  is
	included in one of the frames of the site.
	
	  3.. After processing your shopping cart, the details in the cookie get
	"decrypted" and are put into one form. At this point,  all  the  details
	of your order can be altered before you  post  them  to  a  cgi  on  the
	Shopfactory server, that is processing the order for the shop owner.

SOLUTION

	ShopFactory violates the "don't trust user input"  rule  of  application
	programming, resulting in potential loss of profit for shops using  this
	software. See also Don't #2 of "Twenty Don'ts  for  ASP  Developers"  at
	http://online.securityfocus.com/infocus/1603
	
	 Possible work around:
	 =====================
	
	Upgrade to at least version 5.8 of  the  ShopFactory  software  and  set
	"Remember Shopping cart for (days)" to 0.