From...

February 4, 2000
Web posted at: 12:19 p.m. EDT (1219 GMT)

by Ann Harrison

(IDG) -- An Internet security firm has issued an alert for what it said are tampering vulnerabilities in several Web-based shopping cart applications.

Internet Security Systems Inc. (ISS) in Atlanta Tuesday released a statement that said the company had identified 11 shopping-cart applications that used flawed online forms that intruders could exploit to change prices or discounts at e-commerce sites.

Many shopping-cart applications use hidden fields in HTML forms to define product parameters such as quantity, name and price. That hidden data gets submitted from the customer back to the site along with information filled in on a form when the form is submitted. However, "hidden" data is only obscured from the customer's view when looking at the form through a browser; anyone can find this data by choosing to view the form's HTML source code.

According to ISS, prices included in hidden data on HTML forms could be modified on a user's machine, then loaded back into the browser and added to the shopping cart. The shopping cart application would then change the price on the site's database or e-mail invoice.

ISS also identified a second problem that emerges when the price of an item is listed in a Web address and added to the shopping cart when the link is clicked. The price can be changed in the Web address, and ISS noted that shopping-cart software shouldn't rely on the Web browser to set the price of an item.

While some shopping-cart applications used a security method based on an HTTP header to verify that the request is coming from an appropriate site, ISS said the flawed applications don't comply with this method. The company points out that Microsoft Internet Explorer 5.0 doesn't include a referrer field in the HTTP header if the form is submitted from a page stored on a local drive. The referrer field would make it more difficult to tamper with the forms.

MORE COMPUTING INTELLIGENCE

IDG.net home page

Visa acknowledges cracker break-ins

Clock ticking on key encryption patent

Japanese government sees rash of hack attacks

How secure is Windows 2000?

Reviews & in-depth info at IDG.net

E-BusinessWorld

Year 2000 World

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletter for IT leaders

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

ISS said it has alerted developers of the vulnerable shopping cart applications. The company announced that Adgrafix Corp. has completed securing its software against these vulnerabilities, and that seven other shopping cart software companies modified their applications to provide a higher lever of security:

• @Retail
• Cart32 2.6
• CartIt 3.0
• Make-a-Store OrderPage
• SalesCart
• SmartCart
• Shoptron 1.2

According to ISS, three companies have not yet provided any fix information since their 45-day alert period:

• EasyCart
• Intellivend
• WebSiteTool

Form-tampering vulnerabilities have been identified in security forums for several years. A detailed discussion of the problem was posted on the BugTraq mailing list in April last year. ISS said there's one possible technique that fixes the form tampering vulnerability, and it's available at the Web Techniques site (see link below).

A white paper on hidden form field vulnerabilities can also be found at the InfoSec Labs site (see link below).

If it's not possible to upgrade or change vulnerable software, ISS suggests that e-commerce sites should verify the prices of items to ensure that the vulnerability is not being exploited. But ISS warns that if e-commerce sites process credit-card orders in real time, they may not be able to verify the price of items before the credit card is charged.