I've been doing some testing with an application not mentioned here, namely Filemaker (former Claris Filemaker) which is a database application that can be used together with a web-publishing plugin or the Lasso web server to provide a simple "shopping cart" type system. Filemaker uses _both_ HTML forms, and URLs for the exchange of information between the web-plugin/lasso and the database backend. I have tested several sites based on this system, and changing and/or deleting information stored in the database from a web-browser is a trivial task, even without modifying forms locally. AFAIK, Filemaker & lasso/web-companion does not provide any method of checking the referrerer field - in fact, only a few variables passed by the browser can be checked - leaving those systems (and according to Filemaker, that's quite a few) very vulnerable. The only way to protect a Filemaker database is to set up the built-in web security system, so that databases such as stock- and price-lists are "read-only" from web. That still leaves the order-database unprotected (you will need write access to that database in order to place orders). Some tests on random sites picked from Filemakers "Happy customers" list revealed that all the tested sites (admittedly not that many...) were vulnerable. Changing prices and other database information could be very easily accomplished. I am aware that Filemaker is not really an ideal application for this purpose at all, but since there are so many "Happy Customers" using it for exactly that , I found it worth mentioning. On Tue, 1 Feb 2000, Patrick Oonk wrote: > Date: Tue, 1 Feb 2000 20:20:34 +0100 > From: Patrick Oonk <patrickat_private> > To: BUGTRAQat_private > Subject: [xforceat_private: ISSalert: ISS E-Security Alert: Form Tampering > Vulnerabilities in Several Web-Based Shopping Cart > Applications] > > ----- Forwarded message from X-Force <xforceat_private> ----- > > Delivered-To: alert-out-linkat_private > Date: Tue, 1 Feb 2000 11:08:50 -0500 (EST) > From: X-Force <xforceat_private> > To: alertat_private > Subject: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications > Precedence: bulk > Reply-To: X-Force <xforceat_private> > X-Loop: alert > > > TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to > majordomoat_private Contact alert-ownerat_private for help with any problems! > --------------------------------------------------------------------------- > > -----BEGIN PGP SIGNED MESSAGE----- > > ISS E-Security Alert > February 1, 2000 > > Form Tampering Vulnerabilities in Several Web-Based Shopping Cart > Applications > > Synopsis: > > There are form tampering vulnerabilities present in several web-based > shopping cart applications. Over the past couple of years, form tampering > vulnerabilities have been discussed on security forums. ISS X-Force has > continued to research this area due to the constant increase in e-commerce. > ISS X-Force has identified eleven shopping cart applications that are > vulnerable to price changing using form tampering. It is possible for an > attacker to take advantage of the form tampering vulnerabilities and order > items at a reduced price on an e-commerce site. The web store operator > should verify the price of each item ordered in the shopping cart > application database or email invoice. > > Description: > > Many web-based shopping cart applications use hidden fields in HTML forms to > hold parameters for items in an online store. These parameters can include > the item's name, weight, quantity, product ID, and price. An application > that bases price on a hidden field in an HTML form may be compromised by > this vulnerability. An attacker could modify the HTML form on their local > machine to change the price of the item and then load the page into a web > browser. After submitting the form, the item is added to their shopping cart > at the modified price. Vulnerable shopping cart applications use a hidden > field containing the price of an item. When the value of that hidden field > is changed, the shopping cart application stores the changed price in its > database and/or e-mail invoice. This vulnerability can also affect hidden > discount fields in the HTML form. An attacker can modify the discount fields > to get a discount on items without actually modifying the price in the form. > If a site processes credit card orders in real time, it may not be possible > to verify the price of each item before the credit card is charged. > > Another situation that can lead to price changing occurs when the price of > an item is listed in a URL. When clicking a link, the CGI program will add > the item to the shopping cart with the price set in the URL. Simply > changing the price in the URL will add the item to the shopping cart at > the modified price. Shopping cart software should not rely on the web > browser to set the price of an item. > > Several of these applications use a security method based on the HTTP header > to verify the request is coming from an appropriate site. The applications > tested do not check to see if there is a referrer in the HTTP header, so the > transaction will continue if the form is submitted from a hard drive. > Microsoft Internet Explorer 5.0 does not include a referrer field in the > HTTP header if the form is submitted from a page stored on a local drive > (see Microsoft Knowledge Base article Q178066). The inclusion of a referrer > field makes it more difficult to exploit these form tampering > vulnerabilities. However, a referrer field can be modified, allowing an > attacker to take advantage of these vulnerabilities. > > The ISS X-Force has identified eleven shopping cart applications that are > vulnerable to form tampering. ISS X-Force has notified all the listed > shopping cart software companies of the form tampering vulnerabilities and > will continue to work with them to ensure their software is secure. The > following is a list of the affected vendors and their response to these > vulnerabilities in the 45 day alert process. > > Check It Out (http://ssl.adgrafix.com) has completed securing their software > against these vulnerabilities. > > Seven shopping cart software companies have modified their applications to > provide a higher level of security: > @Retail (http://www.atretail.com) > Cart32 2.6 (http://www.cart32.com) > CartIt 3.0 (http://www.cartit.com) > Make-a-Store OrderPage (http://www.make-a-store.com) > SalesCart (http://www.salescart.com) > SmartCart (http://www.smartcart.com) > Shoptron 1.2 (http://www.shoptron.com) > > Three have not yet provided any fix information: > EasyCart (http://www.easycart.com) > Intellivend (http://www.intellivend.com) > WebSiteTool (http://www.websitetool.com) > > Consulting and contracting firms may use shopping cart techniques to create > e-commerce pages for customers, making it possible for many other e-commerce > sites to be vulnerable to these form tampering vulnerabilities. > > Additional Information: > > For more information on other vulnerabilities that involve hidden form > fields in HTML pages, see the white paper on the MSC Hidden Form Field > Vulnerability at http://www.miora.com/files/index.htm. > > In April 1999 the BugTraq mailing list hosted a discussion > about a different type of shopping cart vulnerability that would allow > attackers to expose users' credit card and order information to the > public. For more information on this go to: > Pine.LNX.3.96.990420132956.13470B-100000at_private">http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-12-8&thread=Pine.LNX.3.96.990420132956.13470B-100000at_private > > Recommendations: > > If an e-commerce site is vulnerable to price changing, the shopping cart > software should be upgraded or changed. If this is not possible, verify the > price of each item in every completed order to ensure that no one is > exploiting this vulnerability. > > A technique that fixes the form tampering vulnerability is described in the > September 1998 issue of Web Techniques in an article written by Dr. Lincoln > D. Stein. The article is available at: > http://www.webtechniques.com/archives/1998/09/webm/. > In the article, Dr. Stein describes a technique that prevents HTML forms > from being modified without knowledge. By computing MD5 sums of a secret key > and form data before and after form submission, there is a method to > verify that no tampering has occurred. All MD5 sum discrepancies can be > output to a log file that includes the IP address of the attacker's > machine. > > ISS X-Force recommends contacting ISS' Consulting and Education Group (CEG) > to perform a security assessment against your e-commerce solution to ensure > and validate the security of your e-business applications. For more > information, please contact CEG at <mailto:cegat_private> or > 1-800-776-2362. > > About ISS > ISS is a leading global provider of security management solutions for > e-business. By offering best-of-breed SAFEsuite(tm) security software, > comprehensive ePatrol(tm) monitoring services and industry-leading > expertise, ISS serves as its customers' trusted security provider protecting > digital assets and ensuring the availability, confidentiality and integrity > of computer systems and information critical to e-business success. ISS' > security management solutions protect more than 5,000 customers including 21 > of the 25 largest U.S. commercial banks, 9 of the 10 largest > telecommunications companies and over 35 government agencies. Founded in > 1994, ISS is headquartered in Atlanta, GA, with additional offices > throughout North America and international operations in Asia, Australia, > Europe and Latin America. For more information, visit the ISS Web site at > www.iss.net or call 888-901-7477. > > Copyright (c) 2000 by Internet Security Systems, Inc. > > Permission is hereby granted for the redistribution of this Alert > electronically. It is not to be edited in any way without express consent > of the X-Force. If you wish to reprint the whole or any part of this Alert > in any other medium excluding electronic medium, please e-mail > xforceat_private for permission. > > Disclaimer > > The information within this paper may change without notice. Use of this > information constitutes acceptance for use in an AS IS condition. There are > NO warranties with regard to this information. In no event shall the author > be liable for any damages whatsoever arising out of or in connection with > the use or spread of this information. Any use of this information is at the > user's own risk. > > > > X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well > as on MIT's PGP key server and PGP.com's key server. > > Please send suggestions, updates, and comments to: X-Force <xforceat_private> > of Internet Security Systems, Inc. > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3a > Charset: noconv > > iQCVAwUBOJcEjjRfJiV99eG9AQGPtgP/WpEP9MNhMK8GiGTzKz+KGbrxSh7S85m9 > D+QyblWJqIFpTPAEbiLcvy5S0riXtVNdR9+qjM38r4Rq666bu8UMMaHMPizm/4Tt > jY8J3RpcUJqw1qAaB6MB8R+TAG/BSRMHi0dvIrgy4VC6sWqglH7jltQMwxer60SS > gRxGEK27HHc= > =ZRpU > -----END PGP SIGNATURE----- > > > > > ----- End forwarded message ----- > > -- > Patrick Oonk - PO1-6BONE - patrickat_private - www.pine.nl/~patrick > Pine Internet B.V. PINE31337-RIPE PGP key ID BE7497F1 > Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ > ---- Pine Security Digest - http://security.nl/ (Dutch) ---- > Excuse of the day: Your excuse is: The keyboard isn't plugged in > ---[ erik gjertsen ]--------- - - - - -
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:20 PDT