Title: JustAddCommerce Hidden Form Field Manipulation Vulnerability
Severity: HIGH
Description:
JustAddCommerce is an online ordering system and e-commerce application that is available for Microsoft FrontPage and Macromedia Dreamweaver.
JustAddCommerce does not properly validate data contained in hidden fields it receives from submitted forms.
The values for data submitted through hidden fields in forms are trusted by JustAddCommerce. This could allow an attacker to modify price data contained in the hidden form fields and submit them to the server. The server will trust the value contained in the submitted form as a valid price. This vulnerability could also be used to modify other values contained in the hidden form fields.
It is possible to exploit this issue by saving a form locally and then manually editing the hidden form fields to contain attacker-supplied values. The attacker may then submit the malicious form to the vulnerable website. Some web clients, such as curl, will also allow an attacker to manually submit form data to a website.
This issue may be present when JustAddCommerce is deployed with the "Standard Security" setting, which is the default security level. JustAddCommerce provides other security settings which will eliminate this problem.
Affected Products:
- Rich Media Technologies JustAddCommerce Standard 5.0.0
References:
- Rich Media Technologies: JustAddCommerce Product Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
