-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
              AUSCERT External Security Bulletin Redistribution
                             
                    ESB-2000.022 -- ISS E-Security Alert
Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications
                              02 February 2000

===========================================================================

ISS has released the following alert concerning vulnerabilities in some
Web-Based Shopping Cart implementations.

These vulnerabilities may allow malicious users to tamper with forms and
order items at a reduced price.


- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

ISS E-Security Alert
February 1, 2000

Form Tampering Vulnerabilities in Several Web-Based Shopping Cart
Applications

Synopsis:

There are form tampering vulnerabilities present in several web-based
shopping cart applications. Over the past couple of years, form tampering
vulnerabilities have been discussed on security forums. ISS X-Force has
continued to research this area due to the constant increase in e-commerce.
ISS X-Force has identified eleven shopping cart applications that are
vulnerable to price changing using form tampering. It is possible for an
attacker to take advantage of the form tampering vulnerabilities and order
items at a reduced price on an e-commerce site. The web store operator
should verify the price of each item ordered in the shopping cart
application database or email invoice.

Description:

Many web-based shopping cart applications use hidden fields in HTML forms to
hold parameters for items in an online store. These parameters can include
the item's name, weight, quantity, product ID, and price. An application
that bases price on a hidden field in an HTML form may be compromised by
this vulnerability. An attacker could modify the HTML form on their local
machine to change the price of the item and then load the page into a web
browser. After submitting the form, the item is added to their shopping cart
at the modified price. Vulnerable shopping cart applications use a hidden
field containing the price of an item. When the value of that hidden field
is changed, the shopping cart application stores the changed price in its
database and/or e-mail invoice. This vulnerability can also affect hidden
discount fields in the HTML form. An attacker can modify the discount fields
to get a discount on items without actually modifying the price in the form.
If a site processes credit card orders in real time, it may not be possible
to verify the price of each item before the credit card is charged.  

Another situation that can lead to price changing occurs when the price of
an item is listed in a URL. When clicking a link, the CGI program will add
the item to the shopping cart with the price set in the URL. Simply
changing the price in the URL will add the item to the shopping cart at
the modified price. Shopping cart software should not rely on the web
browser to set the price of an item.

Several of these applications use a security method based on the HTTP header
to verify the request is coming from an appropriate site. The applications
tested do not check to see if there is a referrer in the HTTP header, so the
transaction will continue if the form is submitted from a hard drive.
Microsoft Internet Explorer 5.0 does not include a referrer field in the
HTTP header if the form is submitted from a page stored on a local drive
(see Microsoft Knowledge Base article Q178066). The inclusion of a referrer
field makes it more difficult to exploit these form tampering
vulnerabilities. However, a referrer field can be modified, allowing an
attacker to take advantage of these vulnerabilities.

The ISS X-Force has identified eleven shopping cart applications that are
vulnerable to form tampering. ISS X-Force has notified all the listed
shopping cart software companies of the form tampering vulnerabilities and
will continue to work with them to ensure their software is secure. The
following is a list of the affected vendors and their response to these
vulnerabilities in the 45 day alert process.  

Check It Out (http://ssl.adgrafix.com) has completed securing their software
against these vulnerabilities.

Seven shopping cart software companies have modified their applications to
provide a higher level of security:
@Retail (http://www.atretail.com)
Cart32 2.6 (http://www.cart32.com)
CartIt 3.0 (http://www.cartit.com)
Make-a-Store OrderPage (http://www.make-a-store.com)
SalesCart (http://www.salescart.com)
SmartCart (http://www.smartcart.com)
Shoptron 1.2 (http://www.shoptron.com)

Three have not yet provided any fix information:
EasyCart (http://www.easycart.com)
Intellivend (http://www.intellivend.com)
WebSiteTool (http://www.websitetool.com)

Consulting and contracting firms may use shopping cart techniques to create
e-commerce pages for customers, making it possible for many other e-commerce
sites to be vulnerable to these form tampering vulnerabilities.

Additional Information:

For more information on other vulnerabilities that involve hidden form
fields in HTML pages, see the white paper on the MSC Hidden Form Field
Vulnerability at http://www.miora.com/files/index.htm. 

In April 1999 the BugTraq mailing list hosted a discussion 
about a different type of shopping cart vulnerability that would allow
attackers to expose users' credit card and order information to the
public. For more information on this go to:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-12-8&thread=Pine.LNX.3.96.990420132956.13470B-100000@gonzo.blarg.net 

Recommendations:

If an e-commerce site is vulnerable to price changing, the shopping cart
software should be upgraded or changed. If this is not possible, verify the
price of each item in every completed order to ensure that no one is
exploiting this vulnerability.

A technique that fixes the form tampering vulnerability is described in the
September 1998 issue of Web Techniques in an article written by Dr. Lincoln
D. Stein. The article is available at:
http://www.webtechniques.com/archives/1998/09/webm/. 
In the article, Dr. Stein describes a technique that prevents HTML forms 
from being modified without knowledge. By computing MD5 sums of a secret key
and form data before and after form submission, there is a method to
verify that no tampering has occurred. All MD5 sum discrepancies can be
output to a log file that includes the IP address of the attacker's
machine.

ISS X-Force recommends contacting ISS' Consulting and Education Group (CEG) 
to perform a security assessment against your e-commerce solution to ensure
and validate the security of your e-business applications. For more
information, please  contact CEG at <mailto:ceg@iss.net> or
1-800-776-2362. 

About ISS
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite(tm) security software,
comprehensive ePatrol(tm) monitoring services and industry-leading
expertise, ISS serves as its customers' trusted security provider protecting
digital assets and ensuring the availability, confidentiality and integrity
of computer systems and information critical to e-business success. ISS'
security management solutions protect more than 5,000 customers including 21
of the 25 largest U.S. commercial banks, 9 of the 10 largest
telecommunications companies and over 35 government agencies. Founded in
1994, ISS is headquartered in Atlanta, GA, with additional offices
throughout North America and international operations in Asia, Australia,
Europe and Latin America. For more information, visit the ISS Web site at
www.iss.net or call 888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent
of the X-Force. If you wish to reprint the whole or any part of this Alert
in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.



X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force <xforce@iss.net>
of Internet Security Systems, Inc.

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOJcEjjRfJiV99eG9AQGPtgP/WpEP9MNhMK8GiGTzKz+KGbrxSh7S85m9
D+QyblWJqIFpTPAEbiLcvy5S0riXtVNdR9+qjM38r4Rq666bu8UMMaHMPizm/4Tt
jY8J3RpcUJqw1qAaB6MB8R+TAG/BSRMHi0dvIrgy4VC6sWqglH7jltQMwxer60SS
gRxGEK27HHc=
=ZRpU
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOJ/auSh9+71yA2DNAQH29gQAkL+GhpZlBOnTgCJIgOf4qGQA7vV0HQh5
VuphkQwishjxKzVkL8XMzwU4+XtTpZe6y9sDo/GK1oBG53zZ8xC3dl6gH97szwE+
3RCqzwaYr8TKroVjCFSvSKpEOD0E5CuQwIFh4FWwb0oXt7GMXYnROUCLKfDPAKl2
KJgbdHXJWTk=
=/beg
-----END PGP SIGNATURE-----