Event
Summary
With well over 300 websites using Cart32, it's rather shocking that the
big security hole that was reported by Bunny69 back in May still exists
in Cart32. Bunny69 reported this hole on May 22 to the SecurityFocus Bugtraq
security bugs list, and as of today, we have found Cart32 sites still
using this blatantly insecure product.
To
change the price of a product being sold using Cart32, on the page that
has the price, you simply save the HTML code on your hard drive, and edit
the source. For example, if an item is priced at $119.00 you remove the
9 and the price becomes $11.00.
This
security hole is so easy to exploit, that any transaction systems that
dump this information directly into a backend database without further
inspection may have already lost ample revenue dollars due to this exploit.
Market
Impact
With so many security vulnerabilities being exposed and talked about in
the media, it is rather shocking that companies still don't perform due
diligence when it comes to security. Any company accepting financial transactions
over the Internet should have an outside security audit done so that they
can plug their security holes before their profitability gets plugged.
Companies
selling e-commerce products need to be held accountable by their customers
for selling products with such easy-to-exploit security holes. Customers
need to start being more insistent on security patches and start holding
vendors liable.
User
Recommendations
Some of the various security integrators and consultants who can assist
some of these Cart32 customers and other e-commerce vendors include:
| Security
Consultant / Integrator |
Phone
Number
|
| Triumph |
781-994-3000
|
| Guardent |
888-413-4344
|
| Jerboa |
617-492-8084
|
| Predictive |
212-659-3400
|
| @Stake |
617-621-3500
|
Electronic
shopping carts commonly have similar vulnerabilities, and any site using
them should proceed with caution.
