Reported October 23, 2000 by Securax

VERSIONS AFFECTED
  • Element InstantShop

DESCRIPTION

Element InstantShop, http://www.element.be is vulnerable to price modification.  A malicious user could modify the pricing information before submitting the order form.

DEMONSTRATION

The following is a sample of HTML from a InstantShop order form;


 

Saving the web page locally then editing the "price" field a malicious user could purchase products for much less than their market value or for zero and negative values.

VENDOR RESPONSE

The vendor has been notified but no patch information has been released.

CREDIT
Discovered by
Securax