Bugtraq mailing list archives

Re: Price modification in Element InstantShop

From: "Glover, Mike" <webmaster () DULUOZ NET>
Date: Wed, 25 Oct 2000 00:27:13 -0700


[snip of exploit which manipulates HTML hidden form inputs]

Regrettably common, I think.

This is just a reminder (with PHP3 code) that one simple technique
to protect against this kind of tampering is to use a signature
to validate the hidden values.


   Wouldn't it just be better not to pass prices through forms at all?
If you've got the ability to run a scripting language, you can store
all of your prices in a database -- even a flat text file would work.
Then the form and the processing page just look up the price in the
database.  Makes your storefront more maintainable, too.


In PHP3, it is as simple as using md5 with a secret, like this:

  $secret = "Some constant, unrevealed string.";

/* On writing out the form */
  echo "<INPUT TYPE=hidden NAME=price VALUE=\"$price\">";
  echo "<INPUT TYPE=hidden NAME=hidden2 VALUE=\"$hidden2\">";
  echo "<INPUT TYPE=hidden NAME=hidden3 VALUE=\"$hidden3\">";
  echo "<INPUT TYPE=hidden NAME=hiddensig VALUE=\"" .
        md5($price . $hidden2 . $hidden3 . $secret) . "\">";

/* On reading in the form */
  if (md5($price . $hidden2 . $hidden3 . $secret) != $hiddensig) {
     /* Tampering detected */
  } else {
     /* Signature matches expected */
  }


   This would work, but it's not very flexible.  The form needs to
know what data is sensitive and what isn't, and the processing page
needs to have the same list.  If the two lists fall out of sync,
your page stops working, or you've got the same problem all over
again -- just with more complexity in your code.

  Also, what happens when you raise prices?  Attackers can still
replay old sessions and buy at the old prices.  To fix this you'd
need to change the secret every time you raised prices.  At the
very least, this is inconvenient and one more thing to keep in
sync every time you make a change.

-mike


Forrest J. Cavalier III, Mib Software  Voice 570-992-8824
http://www.rocketaware.com/ has over 30,000 links to
source, libraries, functions, applications, and documentation.



--

Mike Glover                            webmaster () duluoz net
Duluoz Networks                        http://www.duluoz.net

Current thread:

Price modification in Element InstantShop Zoa_Chien (Oct 25)
- <Possible follow-ups>
- Re: Price modification in Element InstantShop Forrest J. Cavalier III (Oct 25)
  - Re: Price modification in Element InstantShop Glover, Mike (Oct 26)
- Re: Price modification in Element InstantShop JJ Halans (Oct 28)