>Delivered-To: [EMAIL PROTECTED] >Date: Tue, 1 Feb 2000 11:08:50 -0500 (EST) >From: X-Force <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in >Several Web-Based Shopping Cart Applications >Sender: [EMAIL PROTECTED] >Reply-To: X-Force <[EMAIL PROTECTED]> >X-Loop: alert > > >TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to >[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! >--------------------------------------------------------------------------- > >-----BEGIN PGP SIGNED MESSAGE----- > >ISS E-Security Alert >February 1, 2000 > >Form Tampering Vulnerabilities in Several Web-Based Shopping Cart >Applications > >Synopsis: > >There are form tampering vulnerabilities present in several web-based >shopping cart applications. Over the past couple of years, form tampering >vulnerabilities have been discussed on security forums. ISS X-Force has >continued to research this area due to the constant increase in e-commerce. >ISS X-Force has identified eleven shopping cart applications that are >vulnerable to price changing using form tampering. It is possible for an >attacker to take advantage of the form tampering vulnerabilities and order >items at a reduced price on an e-commerce site. The web store operator >should verify the price of each item ordered in the shopping cart >application database or email invoice. > >Description: > >Many web-based shopping cart applications use hidden fields in HTML forms to >hold parameters for items in an online store. These parameters can include >the item's name, weight, quantity, product ID, and price. An application >that bases price on a hidden field in an HTML form may be compromised by >this vulnerability. An attacker could modify the HTML form on their local >machine to change the price of the item and then load the page into a web >browser. After submitting the form, the item is added to their shopping cart >at the modified price. Vulnerable shopping cart applications use a hidden >field containing the price of an item. When the value of that hidden field >is changed, the shopping cart application stores the changed price in its >database and/or e-mail invoice. This vulnerability can also affect hidden >discount fields in the HTML form. An attacker can modify the discount fields >to get a discount on items without actually modifying the price in the form. >If a site processes credit card orders in real time, it may not be possible >to verify the price of each item before the credit card is charged. > >Another situation that can lead to price changing occurs when the price of >an item is listed in a URL. When clicking a link, the CGI program will add >the item to the shopping cart with the price set in the URL. Simply >changing the price in the URL will add the item to the shopping cart at >the modified price. Shopping cart software should not rely on the web >browser to set the price of an item. > >Several of these applications use a security method based on the HTTP header >to verify the request is coming from an appropriate site. The applications >tested do not check to see if there is a referrer in the HTTP header, so the >transaction will continue if the form is submitted from a hard drive. >Microsoft Internet Explorer 5.0 does not include a referrer field in the >HTTP header if the form is submitted from a page stored on a local drive >(see Microsoft Knowledge Base article Q178066). The inclusion of a referrer >field makes it more difficult to exploit these form tampering >vulnerabilities. However, a referrer field can be modified, allowing an >attacker to take advantage of these vulnerabilities. > >The ISS X-Force has identified eleven shopping cart applications that are >vulnerable to form tampering. ISS X-Force has notified all the listed >shopping cart software companies of the form tampering vulnerabilities and >will continue to work with them to ensure their software is secure. The >following is a list of the affected vendors and their response to these >vulnerabilities in the 45 day alert process. > >Check It Out (http://ssl.adgrafix.com) has completed securing their software >against these vulnerabilities. > >Seven shopping cart software companies have modified their applications to >provide a higher level of security: >@Retail (http://www.atretail.com) >Cart32 2.6 (http://www.cart32.com) >CartIt 3.0 (http://www.cartit.com) >Make-a-Store OrderPage (http://www.make-a-store.com) >SalesCart (http://www.salescart.com) >SmartCart (http://www.smartcart.com) >Shoptron 1.2 (http://www.shoptron.com) > >Three have not yet provided any fix information: >EasyCart (http://www.easycart.com) >Intellivend (http://www.intellivend.com) >WebSiteTool (http://www.websitetool.com) > >Consulting and contracting firms may use shopping cart techniques to create >e-commerce pages for customers, making it possible for many other e-commerce >sites to be vulnerable to these form tampering vulnerabilities. > >Additional Information: > >For more information on other vulnerabilities that involve hidden form >fields in HTML pages, see the white paper on the MSC Hidden Form Field >Vulnerability at http://www.miora.com/files/index.htm. > >In April 1999 the BugTraq mailing list hosted a discussion >about a different type of shopping cart vulnerability that would allow >attackers to expose users' credit card and order information to the >public. For more information on this go to: >http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-12-8&th >[EMAIL PROTECTED] > >Recommendations: > >If an e-commerce site is vulnerable to price changing, the shopping cart >software should be upgraded or changed. If this is not possible, verify the >price of each item in every completed order to ensure that no one is >exploiting this vulnerability. > >A technique that fixes the form tampering vulnerability is described in the >September 1998 issue of Web Techniques in an article written by Dr. Lincoln >D. Stein. The article is available at: >http://www.webtechniques.com/archives/1998/09/webm/. >In the article, Dr. Stein describes a technique that prevents HTML forms >from being modified without knowledge. By computing MD5 sums of a secret key >and form data before and after form submission, there is a method to >verify that no tampering has occurred. All MD5 sum discrepancies can be >output to a log file that includes the IP address of the attacker's >machine. > >ISS X-Force recommends contacting ISS' Consulting and Education Group (CEG) >to perform a security assessment against your e-commerce solution to ensure >and validate the security of your e-business applications. For more >information, please contact CEG at <mailto:[EMAIL PROTECTED]> or >1-800-776-2362. > >About ISS >ISS is a leading global provider of security management solutions for >e-business. By offering best-of-breed SAFEsuite(tm) security software, >comprehensive ePatrol(tm) monitoring services and industry-leading >expertise, ISS serves as its customers' trusted security provider protecting >digital assets and ensuring the availability, confidentiality and integrity >of computer systems and information critical to e-business success. ISS' >security management solutions protect more than 5,000 customers including 21 >of the 25 largest U.S. commercial banks, 9 of the 10 largest >telecommunications companies and over 35 government agencies. Founded in >1994, ISS is headquartered in Atlanta, GA, with additional offices >throughout North America and international operations in Asia, Australia, >Europe and Latin America. For more information, visit the ISS Web site at >www.iss.net or call 888-901-7477. > >Copyright (c) 2000 by Internet Security Systems, Inc. > >Permission is hereby granted for the redistribution of this Alert >electronically. It is not to be edited in any way without express consent >of the X-Force. If you wish to reprint the whole or any part of this Alert >in any other medium excluding electronic medium, please e-mail >[EMAIL PROTECTED] for permission. > >Disclaimer > >The information within this paper may change without notice. Use of this >information constitutes acceptance for use in an AS IS condition. There are >NO warranties with regard to this information. In no event shall the author >be liable for any damages whatsoever arising out of or in connection with >the use or spread of this information. Any use of this information is at the >user's own risk. > > > >X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well >as on MIT's PGP key server and PGP.com's key server. > >Please send suggestions, updates, and comments to: X-Force <[EMAIL PROTECTED]> >of Internet Security Systems, Inc. > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.3a >Charset: noconv > >iQCVAwUBOJcEjjRfJiV99eG9AQGPtgP/WpEP9MNhMK8GiGTzKz+KGbrxSh7S85m9 >D+QyblWJqIFpTPAEbiLcvy5S0riXtVNdR9+qjM38r4Rq666bu8UMMaHMPizm/4Tt >jY8J3RpcUJqw1qAaB6MB8R+TAG/BSRMHi0dvIrgy4VC6sWqglH7jltQMwxer60SS >gRxGEK27HHc= >=ZRpU >-----END PGP SIGNATURE----- > > ------- AFLHI 058009990407128029/089802---(102598//991024) -- Situs sulap pertama di Indonesia http://www.impact.or.id/dmc-sulap/ To unsubscribe, e-mail : [EMAIL PROTECTED] To subscribe, e-mail : [EMAIL PROTECTED] Netika BerInternet : [EMAIL PROTECTED]
