|
|
Info |
Last Modified |
| 7 months ago |
|
|
|
|
Description |
Dragonfly Commerce contains a flaw that may allow a remote attacker to manipulate prices without authorization. The issue is due to the dc_productslist_Clearance.asp script not properly sanitizing user input. By modifying the 'x_DragonflyCartProductPrice' hidden field before submission, it is possible for an attacker to manipulate prices in the system before purchasing an item.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
Exploit:
Exploit Rumored / Private
OSVDB:
Web Related
|
|
Technical |
The vendor had originally disputed these claims saying "Dragonfly Commerce does not allow for editing prices nor does it allow for viewing information about clients stored in the database except by the store owner and authorized staff as appointed in the store administration." However, subsequent testing by SecurityTracker has verified the original findings and confirmed the vulnerability. The vendor silently released a fix several days later.
|
|
Solution |
Currently, there are no known workarounds or upgrades to correct this issue. However, Incredible Interactive has released a patch to address this vulnerability.
|
|
Products |
|
Dragonfly Commerce
 |
Unknown or Unspecified |
|
|
|
|
Credit |
- Diabolic Crab - dcrab
 hackerscenter.com - Personal Page
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
