E-commerce merchants using shopping cart software CS-Cart version 3.0.4 and earlier are vulnerable to a flaw that allows fraudsters to buy goods without paying for them.
The flaw lies in the configuration of PayPal payments Standard edition in CS-Cart, which allows an attacker to change a merchant’s PayPal email address during a purchase.
CS-Cart released version 3.0.6 on February 14, but only hinted at a potential problem by stating that “PayPal processing security has been improved”.
It has not yet released a change log for the release, however Carnegie Mellon CERT drew attention to the potential fraud impact on Friday.
“CS-Cart v3.0.4 and possibly other versions configured with PayPal Standard Payment is susceptible to a client-side attack that results in an attacker purchasing items without having to pay for them,” Carnegie Mellon CERT warned.
A fraudster would need to make a payment to purchase a good, but the configuration allows them to redirect it to their own PayPal email account. The software also does not verify the address is the authorised merchant address.
“The parameter for the merchant's PayPal email address is controlled on the client-side and not verified by the server. This allows an attacker to change the PayPal email address to one the attacker controls allowing the attacker to purchase items on a website but effectively pay themselves instead of the merchant,” Carnegie Mellon CERT explained.
Detecting fraud that exploits this flaw on a busy e-commerce could be time-consuming and tricky. Merchants would need to manually cross-check website orders with PayPal transactions to spot it, according to the CERT.
Patches for older versions of CS-Cart in the 3.0.x and 2.2.x branches have also be released.