Event Summary
With well over 300 websites using Cart32, it's rather shocking that the big security hole that was reported by Bunny69 back in May still exists in Cart32. Bunny69 reported this hole on May 22 to the SecurityFocus Bugtraq security bugs list, and as of today, we have found Cart32 sites still using this blatantly insecure product.
To change the price of a product being sold using Cart32, on the page that has the price, you simply save the HTML code on your hard drive, and edit the source. For example, if an item is priced at $119.00 you remove the 9 and the price becomes $11.00.
This security hole is so easy to exploit, that any transaction systems that dump this information directly into a backend database without further inspection may have already lost ample revenue dollars due to this exploit.
Market Impact
With so many security vulnerabilities being exposed and talked about in the media, it is rather shocking that companies still don't perform due diligence when it comes to security. Any company accepting financial transactions over the Internet should have an outside security audit done so that they can plug their security holes before their profitability gets plugged.
Companies selling e-commerce products need to be held accountable by their customers for selling products with such easy-to-exploit security holes. Customers need to start being more insistent on security patches and start holding vendors liable.
User Recommendations
Some of the various security integrators and consultants who can assist some of these Cart32 customers and other e-commerce vendors include:
Electronic shopping carts commonly have similar vulnerabilities, and any site using them should proceed with caution.