Bugtraq mailing list archives

Re: Another hole in Cart32

From: aclover () 1VALUE COM (Clover Andrew)
Date: Tue, 23 May 2000 20:30:55 +0200


sert sert <sert_is () HOTMAIL COM> wrote:

They seem to be relying on the client to properly use the security
options available in the package.


The options they outline *do not* represent any level of security,
"properly" used or not. Anyone can get around the POST restriction
by simply creating a form themselves, and anyone can get around
the Referer check by connecting to the HTTP server either by hand
or using a non-web-browser tool and sending the Referer header
themselves.

Worse, the Referer check will break functionality on any browser
that does not support, or has been configured not to give (for
privacy reasons) referring page information.

A security policy that relies on trusting the user agent is no
security policy at all. With a shopping cart made entirely from
client-side JavaScript, such exploits are understandable. When
it's a server-side set of scripts, relying on trust is
inexcusable.

Michael Form <mike () SECTOR001 ORG> suggested:

all Cart32 users should skim through the orders to see any
noticeable price errors.


Indeed.

High-tech! E-commerce!! Let's go!!!

--
Andrew Clover
Technical Support
1VALUE.com AG

Current thread:

Re: Another hole in Cart32 sert sert (May 22)
- Qpopper 2.53 remote problem, user can gain gid=mail Prizm (May 23)
  - Re: Qpopper 2.53 remote problem, user can gain gid=mail Jose Nazario (May 24)
  - Re: Qpopper 2.53 remote problem, user can gain gid=mail Qpopper Support (May 24)
  - Re: Qpopper 2.53 remote problem, user can gain gid=mail Sebastian (May 25)
- RFP2K05 - NetProwler "Fragmentation" Issue AXENT Security Team (May 23)
- Re: Another hole in Cart32 CDI (May 23)
- <Possible follow-ups>
- Re: Another hole in Cart32 Clover Andrew (May 23)
- Re: Another hole in Cart32 Justin King (May 24)