these functions problematic since they are tied to existing web

application systems.

Smartwin CyberOffice Shopping Cart Price Modification

Abuse of functionality is performed when an attacker alters data in an

unanticipated way in order to modify the behavior of the web

application.  For example, the CyberOffice shopping cart can be

abused by changing the hidden price field within the web form.  The

web page is downloaded normally, edited and then resubmitted with

the prices set to any desired value.

References

 FormMail Real Name/Email Address CGI Variable Spamming

Vulnerability 

http://www.securityfocus.com/bid/3955

 CVE 1999 0800 

http://cve.mitre.org/cgi bin/cvename.cgi?name=1999 0800

 CA Unicenter pdmcgi.exe View Arbitrary File 

http://www.osvdb.org/displayvuln.php?osvdb_id=3247

 PeopleSoft PeopleBooks Search CGI Flaw 

http://www.osvdb.org/displayvuln.php?osvdb_id=2815

 iisCART2000 Upload Vulnerability 

http://secunia.com/advisories/8927/

 PROTEGO Security Advisory #PSA200401 

http://www.protego.dk/advisories/200401.html

 Price modification possible in CyberOffice Shopping Cart 

http://archives.neohapsis.com/archives/bugtraq/2000 10/0011.html

57

Copyright 2004, Web Application Security Consortium. All rights reserved.