Example Sins

The following entries in Common Vulnerabilities and Exposures (CVE), at http:// cve.mitre.org, are examples of this sin.

CAN-2000-1001

The web page add_2_basket.asp in Element InstantShop allows remote attackers to modify price information via the price hidden form variable.

The form looks like this:

 <INPUT TYPE = HIDDEN NAME = "id" VALUE = "AUTO0034"> <INPUT TYPE = HIDDEN NAME = "product" VALUE = "BMW545">  <INPUT TYPE = HIDDEN NAME = "name" VALUE = "Expensive Car" >  <INPUT TYPE = HIDDEN NAME = "price" VALUE = "100"> 

You can set the price field to any value you want, then resubmit it to the server hosting InstantShop, and you have a very expensive car for only $100. You may have to pay shipping costs, however.

MaxWebPortal Hidden Form Field Modification

There is no CVE number for this security defect, but there is an entry in the OSVDB (www.osvdb.org); its id is 4933.

MaxWebPortal is a web portal and online community system. The product uses hidden fields for much of its administrative tasks . This allows malicious users to analyze the HTML pages, alter the values in the hidden fields, and potentially gain access to functionality intended only for the administrator.

The first example is to set the hidden news value to 1 when posting. This will place the posting on the front page as news!

The second example is to set the allmem (all members ) parameter to true. Then all members will receive an e-mail. This could be exploited to spam system users.



19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net