| ||
The following entries in Common Vulnerabilities and Exposures (CVE), at http:// cve.mitre.org, are examples of this sin.
The web page add_2_basket.asp in Element InstantShop allows remote attackers to modify price information via the price hidden form variable.
The form looks like this:
<INPUT TYPE = HIDDEN NAME = "id" VALUE = "AUTO0034"> <INPUT TYPE = HIDDEN NAME = "product" VALUE = "BMW545"> <INPUT TYPE = HIDDEN NAME = "name" VALUE = "Expensive Car" > <INPUT TYPE = HIDDEN NAME = "price" VALUE = "100">
You can set the price field to any value you want, then resubmit it to the server hosting InstantShop, and you have a very expensive car for only $100. You may have to pay shipping costs, however.
There is no CVE number for this security defect, but there is an entry in the OSVDB (www.osvdb.org); its id is 4933.
MaxWebPortal is a web portal and online community system. The product uses hidden fields for much of its administrative tasks . This allows malicious users to analyze the HTML pages, alter the values in the hidden fields, and potentially gain access to functionality intended only for the administrator.
The first example is to set the hidden news value to 1 when posting. This will place the posting on the front page as news!
The second example is to set the allmem (all members ) parameter to true. Then all members will receive an e-mail. This could be exploited to spam system users.