https://cxsecurity.com/issue/WLB-2007100084
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-203

3D3.ComShopFactory5.8版本为了敏感的价格数据使用客户端的加密和解密，远程攻击者可以通过使用Javascript来解密含有数据的cookie修改购物车价格。

Trust Factory Security Advisory TF20021004

Discovery Date:       October  4, 2002
Release Date:         December 2, 2002
ID:                   TF20021004
Title:                ShopFactory shopping cart price manipulation
Impact:               Customers can modify the price of items at will
Affected Technology:  Online shopping carts created with ShopFactory
Vendor Status:        Vendor was notified on October 7, 2002
                        Vendor promised partial fix, and suggested work
                        around
Discovered By:        Richard van den Berg <richard (at) trust-factory (dot) com [email concealed]>
Advisory URL:         http://www.trust-factory.com/TF20021004.html

Background:
===========
ShopFactory is an online shop management package by 3D3.COM Pty Ltd
based in Australia. A quote from the www.shopfactory.com homepage:

With more than 100,000 shops worldwide built with our secure shopping
cart software, ShopFactory is one of the world's most popular and
powerful e-commerce solutions.

Description:
============
The contents of shopping carts used by shops created with ShopFactory
software can be modified at will by customers. One interesting
vulnerablility is the ability to maliciously modify prices of items
in the shopping carts. Tests show that the modifications are maintained
throughout the billing process.

Technical details:
==================
Shopping carts created with ShopFactory software optionally store all
contents of the cart in a cookie at the browser. This includes product
IDs, descriptions and prices. Upon revisiting the store, this cookie is
used to fill the cart for the new session. At checkout the contents of
this new cart is used to enter the order into the shop's delivery and
billing system.
If the shop owner has set "Remember Shopping cart for (days)" to 0,
cookies are not created by the shop. Prior to version 5.8 cookies
are being read even when the shop does not create them. If a malicious
user manually creates a cookie with incorrect pricing, it would still
be used to fill the cart for a new shopping session.

Vendor response:
================
After being made aware of the problem, 3D3.COM chose to fix the reading
in of cookies when the shop does not create them. We have not been given
the oppertunity to verify this fix. Regardless, the price manipulation
vulnerability will still exist when "Remember Shopping cart for (days)"
is set larger than 0.
3D3.COM states that they have not heard of any merchant experiencing
fraud caused by this problem. 3D3.COM has informed its customers of this
issue.

Conclusion:
===========
ShopFactory violates the "don't trust user input" rule of application
programming, resulting in potential loss of profit for shops using
this software. See also Don't #2 of "Twenty Don'ts for ASP Developers"
at http://online.securityfocus.com/infocus/1603

Possible work around:
=====================
Upgrade to at least version 5.8 of the ShopFactory software and set
"Remember Shopping cart for (days)" to 0.

-- 
Richard van den Berg, CISSP

Trust Factory B.V.      | http://www.trust-factory.com/
Bazarstraat 44a         | Phone: +31 70 3620684
NL-2518AK The Hague     | Fax  : +31 70 3603009
The Netherlands         |

来源:XF
名称:shopfactory-price-modification(10746)
链接:http://xforce.iss.net/xforce/xfdb/10746
来源:BID
名称:6296
链接:http://www.securityfocus.com/bid/6296
来源:BUGTRAQ
名称:20021202ShopFactoryshoppingcartpricemanipulation
链接:http://www.securityfocus.com/archive/1/301863
来源:SREASON
名称:3263
链接:http://securityreason.com/securityalert/3263
来源:BUGTRAQ
名称:20030305shopfactoryshoppingcart
链接:http://cert.uni-stuttgart.de/archive/bugtraq/2003/03/msg00081.html