Page 1 of 1

Security issue

PostPosted: Tue Jun 19, 2007 2:27 pm
by Martin2006
I just wanted to point out that is possible to change the price paid for an item becuase it is stored in a cookie.

On the example site:

Order1=MBC1%7C1%7C36.99%7CFull%20Bone%20in%20Chickens%7C9.95%7CNo%20marinade%3B%20No%20stuffing

If this is changed to

Order1=MBC1%7C1%7C1%7CFull%20Bone%20in%20Chickens%7C9.95%7CNo%20marinade%3B%20No%20stuffing

Then at checkout I only have to pay $1 for the product.

This JavaScript model of storing prices in the client cookie is very insecure.

Martin

a more secure way to stop cookie injections

PostPosted: Sat Jun 30, 2007 8:54 pm
by guma
i have heard of this problem and i think it should be discussed here.

i use php and i am thinking of a way to avoid this cookie-injection:
- if you use sessions you can store the cart entries on the server insted of the cookies
- therefore i have to replace some code where cookies are stored, read ...

I am looking for 1 or 2 people that will help me with this. I can do the programming but i need to know where to add code.

let me know. greetings guma

PostPosted: Sun Jul 01, 2007 12:49 am
by Koibito
I am aware of this potential problem, but after several years with NOP cart, and approximately 1750 product items and thousands of orders, I have never encountered any problems with this issue. It helps when you have the Inventory add-on installed. Stefko's Inventory add-on reads the correct price from an inventory file, so you can always compare the prices in the e-mail (from the cookies) with the order order summary that the Inventory add-on gives you.

PostPosted: Sun Jul 01, 2007 3:41 am
by Stefko
My solution is two-fold, first I place the form items hidden fields into a javascript, now we have form protection. Then also I encrypt the cookie data like so:

6E414E133F67D07BEE3DCC77E7B4D8DCAA9AD0DDDFADD7204FA9EBC72BCD69C33AC60D088A07E37A4CDAF4EFBA6CB9A4E51D7EF0054227EF

Since I use a custom cookie routine, even with the extra length added to the cookie I can get ~35 items in the cart with IE, and nearly 300 on all other browsers.


Works for me!

PostPosted: Tue Aug 28, 2007 8:51 pm
by PHOUR19
No easy fix for this problem yet ?

For such a great shopping cart I cant believe there is not a fix for this yet.

Thanks Tim

PostPosted: Wed Aug 29, 2007 1:16 am
by Randy
This has been discussed at great length before -- Stefko came up with one easy fix:

Stefko wrote:My solution is two-fold, first I place the form items hidden fields into a javascript, now we have form protection. Then also I encrypt the cookie data like so:

6E414E133F67D07BEE3DCC77E7B4D8DCAA9AD0DDDFADD7204FA9EBC72BCD69C33AC60D088A07E37A4CDAF4EFBA6CB9A4E51D7EF0054227EF

Since I use a custom cookie routine, even with the extra length added to the cookie I can get ~35 items in the cart with IE, and nearly 300 on all other browsers.


Works for me!


However, as with all JavaScript, there are more than one way to approach a problem. Maybe someone else has another easy fix.

Randy

Re: Security issue

PostPosted: Mon Mar 23, 2015 8:35 pm
by graphics
Just wondering if that issue was addressed/updated in the 4.4 version of nopcart? :oops: