OSVDB ID: 18449

Title: Dragonfly Commerce dc_Categorieslist.asp Hidden Field Modification Product Price Manipulation

Info

Disclosure

Jul 12, 2005

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Dragonfly Commerce contains a flaw that may allow a remote attacker to manipulate prices without authorization. The issue is due to the dc_Categorieslist.asp script not properly sanitizing user input. By modifying the 'x_DragonflyCartProductPrice' hidden field before submission, it is possible for an attacker to manipulate prices in the system before purchasing an item.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Rumored / Private
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Incredible Interactive has released a patch to address this vulnerability.

Products

Incredible Interactive

Dragonfly Commerce

Unknown or Unspecified

References

Security Tracker: 1014451
Secunia Advisory ID: 16007
Related OSVDB ID: 18441 18446 18447 18448
CVE ID: 2005-2220 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0196.html
Vendor Specific Advisory URL: http://www.incredibleinteractive.com/Active/content.asp?getcontent=41

Credit

Diabolic Crab - dcrabhackerscenter.com - Personal Page

Direct URL: http://osvdb.org/36218