[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: [mv] Could this be a possible Security Hole?
At 03:22 AM 11/2/1999 , you wrote:
>****** message to minivend-users from "vic777" <vic777@primenet.com>
******
>
>This was brought to my attention tonight and I'm going to pass this along:
>
>Someone right clicks and saves the page while during checkout (I saved mine
>as 'process.html'). They then edit the saved page to change prices (lower
>of course), load the local page and hit the 'place order' button. My
>minivend comes up with the :
>
>items: you might want to order something (empty cart?). It didn't choke on
>the price, but I see that the session id is in the source code, is it
>possible to manipulate the cookie or something similar (just change the
>price in the generated html text) to alter pricing?
The prices are stored in your products db, not in the page. You cannot
hack a price.
>
>Could someone more savvy then me find away around this to force purchases
>through at whatever price they set (vs. the price it should sell for)? I
>don't understand Minivend to the depth that most of you folks do (I just
>loaded it, took the defaults and let it work it's magic). Is minivend safe
>because it does it's calcs off a server-based database or ???
>
>Somebody has reported that there is a security hole in many e-commerce
>sites. I found this in an article on www.hackerwhacker.com the article name
>is "Holes in E-Commerce Sites"
>
>TIA for soothing this nervous nellie...
>Vic
>
>-
>To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
>email with 'UNSUBSCRIBE minivend-users' in the body to
Majordomo@minivend.com.
>Archive of past messages: http://www.minivend.com/minivend/minivend-list
>
Ryan Hertz tel 800-645-BAIT
Webmaster fax 520-645-2588
Advertising Director http://www.insideline.net
Gary Yamamoto Custom Baits, Inc. http://www.yamamoto.baits.com
