Rapid7 Vulnerability & Exploit Database

Cart32 Hidden Field Modification Vulnerability

Back to Search

Cart32 Hidden Field Modification Vulnerability

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
02/01/2000
Created
07/25/2018
Added
11/01/2004
Modified
12/04/2013

Description

Cart32 suffers from a design flaw whereby it reads the price for a shopping cart item from user input. As a result, a remote user can specify an arbitrary price for any item managed by Cart32.

This vulnerability was originally reported in 2000. While the authors of the Cart32 software attempted to mitigate the vulnerability by adding sanity checks on the HTTP Referrer header, a 2002 Bugtraq advisory pointed out that such checks are insufficient because they rely on data that can easily be forged by a savvy user.

Solution(s)

  • http-cart32-hidden-field-modification

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;