Security issue

Problems installing or using the NOP Design Free Shopping Cart that do not fit into one of the above categories.

Moderators: Koibito, Stefko, Randy

Security issue

Postby Martin2006 » Tue Jun 19, 2007 2:27 pm

I just wanted to point out that is possible to change the price paid for an item becuase it is stored in a cookie.

On the example site:

Order1=MBC1%7C1%7C36.99%7CFull%20Bone%20in%20Chickens%7C9.95%7CNo%20marinade%3B%20No%20stuffing

If this is changed to

Order1=MBC1%7C1%7C1%7CFull%20Bone%20in%20Chickens%7C9.95%7CNo%20marinade%3B%20No%20stuffing

Then at checkout I only have to pay $1 for the product.

This JavaScript model of storing prices in the client cookie is very insecure.

Martin
Martin2006
 
Posts: 1
Joined: Tue Jun 19, 2007 2:23 pm

a more secure way to stop cookie injections

Postby guma » Sat Jun 30, 2007 8:54 pm

i have heard of this problem and i think it should be discussed here.

i use php and i am thinking of a way to avoid this cookie-injection:
- if you use sessions you can store the cart entries on the server insted of the cookies
- therefore i have to replace some code where cookies are stored, read ...

I am looking for 1 or 2 people that will help me with this. I can do the programming but i need to know where to add code.

let me know. greetings guma
guma
 
Posts: 1
Joined: Sat Jun 30, 2007 8:40 pm

Postby Koibito » Sun Jul 01, 2007 12:49 am

I am aware of this potential problem, but after several years with NOP cart, and approximately 1750 product items and thousands of orders, I have never encountered any problems with this issue. It helps when you have the Inventory add-on installed. Stefko's Inventory add-on reads the correct price from an inventory file, so you can always compare the prices in the e-mail (from the cookies) with the order order summary that the Inventory add-on gives you.
John
Koibito
Site Admin / Guru
 
Posts: 918
Joined: Sun May 28, 2006 1:59 am
Location: New Jersey, USA

Postby Stefko » Sun Jul 01, 2007 3:41 am

My solution is two-fold, first I place the form items hidden fields into a javascript, now we have form protection. Then also I encrypt the cookie data like so:

6E414E133F67D07BEE3DCC77E7B4D8DCAA9AD0DDDFADD7204FA9EBC72BCD69C33AC60D088A07E37A4CDAF4EFBA6CB9A4E51D7EF0054227EF

Since I use a custom cookie routine, even with the extra length added to the cookie I can get ~35 items in the cart with IE, and nearly 300 on all other browsers.


Works for me!
KFL Technologies
Web-Enabled Solutions
e-Commerence Solutions
Stefko
Contributor / Guru
 
Posts: 833
Joined: Wed Sep 18, 2002 1:11 am
Location: Wichita, KS

Postby PHOUR19 » Tue Aug 28, 2007 8:51 pm

No easy fix for this problem yet ?

For such a great shopping cart I cant believe there is not a fix for this yet.

Thanks Tim
PHOUR19
WebMaster
 
Posts: 15
Joined: Tue Jan 23, 2007 10:26 pm
Location: Georgia

Postby Randy » Wed Aug 29, 2007 1:16 am

This has been discussed at great length before -- Stefko came up with one easy fix:

Stefko wrote:My solution is two-fold, first I place the form items hidden fields into a javascript, now we have form protection. Then also I encrypt the cookie data like so:

6E414E133F67D07BEE3DCC77E7B4D8DCAA9AD0DDDFADD7204FA9EBC72BCD69C33AC60D088A07E37A4CDAF4EFBA6CB9A4E51D7EF0054227EF

Since I use a custom cookie routine, even with the extra length added to the cookie I can get ~35 items in the cart with IE, and nearly 300 on all other browsers.


Works for me!


However, as with all JavaScript, there are more than one way to approach a problem. Maybe someone else has another easy fix.

Randy
Randy
Guru
 
Posts: 1511
Joined: Tue Apr 22, 2003 12:21 pm
Location: Thunder Bay, Ontario

Re: Security issue

Postby graphics » Mon Mar 23, 2015 8:35 pm

Just wondering if that issue was addressed/updated in the 4.4 version of nopcart? :oops:
graphics
WebMaster
 
Posts: 50
Joined: Fri Oct 06, 2006 5:01 am


Return to Help: Cart / General

Who is online

Users browsing this forum: No registered users and 1 guest

cron