[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

Could this be a possible Security Hole?

To: <minivend-users@minivend.com>
Subject: Could this be a possible Security Hole?
From: "vic777" <vic777@primenet.com>
Date: Tue, 2 Nov 1999 02:22:40 -0800

This was brought to my attention tonight and I'm going to pass this along:

Someone right clicks and saves the page while during checkout (I saved mine
as 'process.html').  They then edit the saved page to change prices (lower
of course), load the local page and hit the 'place order' button.  My
minivend comes up with the :

items: you might want to order something (empty cart?).  It didn't choke on
the price, but I see that the session id is in the source code, is it
possible to manipulate the cookie or something similar (just change the
price in the generated html text) to alter pricing?

Could someone more savvy then me find away around this to force purchases
through at whatever price they set (vs. the price it should sell for)?  I
don't understand Minivend to the depth that most of you folks do (I just
loaded it, took the defaults and let it work it's magic).  Is minivend safe
because it does it's calcs off a server-based database or ???

Somebody has reported that there is a security hole in many e-commerce
sites.  I found this in an article on www.hackerwhacker.com the article name
is "Holes in E-Commerce Sites"

TIA for soothing this nervous nellie...
Vic

Follow-Ups:
- Re: [mv] Could this be a possible Security Hole?
  - From: Ryan Hertz <rhertz@gyb.baits.com>
- Re: [mv] Could this be a possible Security Hole?
  - From: "Brian T. Allen" <brian@purenetfx.com>

Prev by Date: refresh login after creating a new account!!howto??
Next by Date: problems sorting by price
Prev by thread: refresh login after creating a new account!!howto??
Next by thread: Re: [mv] Could this be a possible Security Hole?
Index(es):
- Date
- Thread