[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

Re: [mv] Could this be a possible Security Hole?

To: <minivend-users@minivend.com>
Subject: Re: [mv] Could this be a possible Security Hole?
From: "Brian T. Allen" <brian@purenetfx.com>
Date: Tue, 2 Nov 1999 17:13:13 -0700
References: <00ed01bf251c$467d6c00$02010061@oemcomputer>

The best way around this that I know is to check the HTTP_REFERER and make
sure the page actually resides on your site before doing anything critical
(like checkout).

That way if I download and edit the page, and run it from *anywhere* but
your server, it is useless and recognized as invalid.

If they hack into your machine to put the page there, well then it is too
late already!

Brian Allen
brian@purenetfx.com


> ******    message to minivend-users from "vic777" <vic777@primenet.com>
******
>
> This was brought to my attention tonight and I'm going to pass this along:
>
> Someone right clicks and saves the page while during checkout (I saved
mine
> as 'process.html').  They then edit the saved page to change prices (lower
> of course), load the local page and hit the 'place order' button.  My
> minivend comes up with the :
>
> items: you might want to order something (empty cart?).  It didn't choke
on
> the price, but I see that the session id is in the source code, is it
> possible to manipulate the cookie or something similar (just change the
> price in the generated html text) to alter pricing?
>
> Could someone more savvy then me find away around this to force purchases
> through at whatever price they set (vs. the price it should sell for)?  I
> don't understand Minivend to the depth that most of you folks do (I just
> loaded it, took the defaults and let it work it's magic).  Is minivend
safe
> because it does it's calcs off a server-based database or ???
>
> Somebody has reported that there is a security hole in many e-commerce
> sites.  I found this in an article on www.hackerwhacker.com the article
name
> is "Holes in E-Commerce Sites"
>
> TIA for soothing this nervous nellie...
> Vic
>
> -
> To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
> email with 'UNSUBSCRIBE minivend-users' in the body to
Majordomo@minivend.com.
> Archive of past messages: http://www.minivend.com/minivend/minivend-list

Follow-Ups:
- Re: [mv] Could this be a possible Security Hole?
  - From: Stefan Hornburg <racke@linuxia.net>
- Re: [mv] Could this be a possible Security Hole?
  - From: "Christopher P. Lindsey" <lindsey@mallorn.com>

References:
- Could this be a possible Security Hole?
  - From: "vic777" <vic777@primenet.com>

Prev by Date: Re: [mv] problems sorting by price
Next by Date: Download Files/Pages Problem
Prev by thread: Could this be a possible Security Hole?
Next by thread: Re: [mv] Could this be a possible Security Hole?
Index(es):
- Date
- Thread