CVE-2018-16157 in Super CMS
Summary
by MITRE
waimai Super Cms 20150505 has a logic flaw allowing attackers to modify a price, before form submission, by observing data in a packet capture. By setting the index.php?m=cart&a=save item_totals parameter to zero, the entire cart is sold for free.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/06/2020
The vulnerability identified as CVE-2018-16157 resides within the waimai Super Cms version 20150505, a web-based content management system designed for restaurant and food delivery services. This particular flaw represents a critical business logic vulnerability that undermines the integrity of the e-commerce transaction process. The system fails to properly validate user input during the cart processing phase, creating an exploitable condition that allows malicious actors to manipulate pricing information before final submission. The vulnerability specifically affects the cart management functionality where the application does not adequately enforce price validation or implement proper access controls for critical transaction parameters.
The technical implementation of this vulnerability stems from insufficient input validation and lack of proper parameter sanitization within the cart processing workflow. When users navigate to the checkout page through the index.php?m=cart&a=save endpoint, the application accepts the item_totals parameter directly from client-side input without proper server-side verification. This parameter controls the total value calculation for the shopping cart, and when set to zero, it effectively nullifies all pricing calculations. Attackers can capture network traffic using packet analysis tools, observe the structure of the cart submission request, and modify the item_totals value to manipulate the final transaction amount. This represents a classic case of insufficient validation of user-supplied data, which aligns with CWE-20 - Improper Input Validation and CWE-352 - Cross-Site Request Forgery, though the specific implementation manifests as a business logic flaw.
The operational impact of this vulnerability extends beyond simple financial loss to encompass potential reputational damage and legal implications for the affected organization. An attacker could exploit this flaw to purchase entire orders for free, potentially leading to significant revenue loss over time. The vulnerability is particularly dangerous because it requires minimal technical expertise to exploit, making it attractive to both casual attackers and organized threat groups. The business logic error creates a scenario where the system's internal state becomes decoupled from its intended behavior, allowing unauthorized price manipulation that bypasses normal payment processing controls. This flaw could also enable attackers to systematically identify and exploit other related vulnerabilities within the same application framework, as demonstrated by the attack pattern described in the ATT&CK framework under T1212 - Exploitation for Credential Access.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term architectural improvements. The primary fix involves implementing server-side validation of the item_totals parameter to ensure it cannot be manipulated to zero or negative values during cart processing. The application should enforce proper input sanitization and validate that all monetary values fall within expected ranges before processing transactions. Additionally, the system should implement proper session management and authentication controls to prevent unauthorized modifications to cart contents. Organizations should also consider implementing transaction logging and monitoring to detect suspicious activities, particularly when large discounts or zero-value transactions occur. The fix should align with secure coding practices outlined in the OWASP Top Ten and should include proper error handling to prevent information disclosure. Regular security testing including penetration testing and code reviews should be implemented to identify similar business logic vulnerabilities across the entire application stack.