###############################################
PHPCart order price manipulation
vendor url: www.phpcart.net
advisory:http://lostmon.blogspot.com/2005/04/
phpcart-price-manipulation.html
vendor notify: yes exploit available: yes
OSVDB ID:15859
BID:13406
Secunia: SA15147
Securitytracker:1013892
################################################
PHPCart is a simple shopping system for small web-merchants
.Set-up of PHPCart is quick and easy, and does not require a database.
PHPcart contains a flaw that allows a price manipulation wen order a
product.This flaw exists because the application does not validate
'price' , 'postage' variables upon submission to the 'phpcart.php'
script. This could allow a user to create a specially crafted URL that
can shop some products at 0$, leading to a loss of integrity.
versions:
3.2 afected
3.3 not tested
also is posible all vesions prior to 3.2 are vulnerables.
##########
solution:
##########
upgrade to version 3.3 (not tested)
this version is not tested and is also posible to be vulnerable too.
##########
timeline
##########
discovered:25 april 2005
vendor notify 26 april 2005
vendor response:
vendor fix:
disclosure:27 april 2005
#####################
Proof of concept:
#####################
for exploiting this issue :
1 click in "add to cart" button on product what you are interested
the link have a similar looks :
http://[victim]/phpcart.php?action=add&id=1002&descr=Mobile%20
Phone&price=35.0&postage=10&quantity=1
if we look we have this variables ==>&price=35.0&postage=10 this is
the price of the product and the post cost.
in your cart you have now a product.
2. click on "view basket" and you have your product ... delete it and
click on this manipulate URL:
http://[victim]/phpcart.php?action=add&id=1002&descr=Mobile%20
Phone&price=0&postage=&quantity=100
we manipulate 'price' , 'postage' and 'quantity' and now if we look our
basket we have 100 products shopping at cost 0$
############### End ####################
thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....
skip to main |
skip to sidebar
Security Research & Analisys:
Personal Blog where I expose my investigations,
advisores and some outstanding news on security.
Categories
Archives
-
►
2022
(2)
- ► November 2022 (1)
- ► October 2022 (1)
-
►
2013
(2)
- ► December 2013 (1)
- ► August 2013 (1)
-
►
2012
(5)
- ► April 2012 (1)
-
►
2011
(5)
- ► October 2011 (1)
- ► March 2011 (1)
-
►
2010
(18)
- ► December 2010 (2)
- ► September 2010 (1)
- ► March 2010 (1)
- ► February 2010 (1)
- ► January 2010 (1)
-
►
2009
(25)
- ► November 2009 (1)
- ► April 2009 (1)
- ► March 2009 (1)
- ► February 2009 (1)
-
►
2008
(24)
- ► August 2008 (9)
- ► April 2008 (1)
- ► March 2008 (1)
-
►
2007
(29)
- ► October 2007 (1)
- ► March 2007 (1)
-
►
2006
(14)
- ► August 2006 (1)
- ► February 2006 (1)
-
▼
2005
(54)
- ► December 2005 (1)
- ▼ April 2005 (14)
Browse
About:Me
My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com
La curiosidad es lo que hace
mover la mente...
Online Tools & Calculators
Posts
Lostmon Blogger © All Rights Reserved