Overview
CS-Cart v3.0.4 and possibly other versions configured with PayPal Standard Payment is susceptible to a client-side attack that results in an attacker purchasing items without having to pay for them.
Description
It has been reported that CS-Cart v3.0.4 configured with PayPal Standard Payments contains a design flaw that allows an attacker to buy items without having to pay for them. The parameter for the merchant's PayPal email address is controlled on the client-side and not verified by the server. This allows an attacker to change the PayPal email address to one the attacker controls allowing the attacker to purchase items on a website but effectively pay themselves instead of the merchant. Manual verification of website orders with the PayPal transactions would need to be performed to detect this fraud. |
Impact
An attacker can effectively purchase items without paying the merchant for them. |
Solution
Update The vendor has stated that this vulnerability has been addressed in CS-Cart version 3.0.6. They have also released the security patch for the older versions (3.0.x & 2.2.x). |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.1 | AV:N/AC:M/Au:N/C:N/I:C/A:N |
| Temporal | 4.7 | E:U/RL:OF/RC:UC |
| Environmental | 1.3 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Giancarlo Pellegrino Institute Eurecom and SAP Research for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
| CVE IDs: | CVE-2013-0118 |
| Date Public: | 2013-02-15 |
| Date First Published: | 2013-02-22 |
| Date Last Updated: | 2013-02-22 13:06 UTC |
| Document Revision: | 11 |