[Date Prev][Date Next][Thread Prev][Thread Next][Interchange by date ][Interchange by thread ]

Re: [ic] would that be possible with IC ?

To: interchange-users@lists.akopia.com
Subject: Re: [ic] would that be possible with IC ?
From: cfm@maine.com
Date: Tue, 6 Mar 2001 09:09:50 -0500
In-Reply-To: <4.2.2.20010306010142.00a99ba0@mail.baits.com>; from rhertz@gyb.baits.com on Tue, Mar 06, 2001 at 01:05:28AM -0700
List-Id: Interchange Users (high volume) <interchange-users.lists.akopia.com>
References: <Pine.LNX.4.21.0103060059050.15413-100000@ns.my-school.com> <4.2.2.20010306010142.00a99ba0@mail.baits.com>
Reply-To: interchange-users@lists.akopia.com
Sender: interchange-users-admin@lists.akopia.com
User-Agent: Mutt/1.3.15i

On Tue, Mar 06, 2001 at 01:05:28AM -0700, Ryan Hertz wrote:
> 
> >
> >I haven't the experience to know this, but could IC be abused
> >the way this article describes other shopping cart applications can ?
> >
> >http://www.zdnet.com/zdnn/stories/news/0,4586,2692337,00.html?chkpt=zdnn_rt 
> >_latest

It would be best to summarize rather than post links.  :-)  That way
we can address your interpretation rather than our interpretation.  I
might see an entirely different abuse than you!

> >
> >BF
> 
> I seriously doubt it.  Although I've heard about that type of hack many 
> years ago, I never imagined that anyone would write software that would 
> susceptible to that type of exploit.  AFAIK Interchange never asks the 
> literal page for the price, it looks in its database to match the price to 
> the item ordered. (duh)

If that means keying in the price of an item, yes, one could mangle minivend
so it would do that; but not the stock install.

Yahoo stores last year let one enter the price into a get string, not even
a hidden string.  At least the seed catalog store I use did.  I noted that
that convenient order entry is not available this year when I orderd this
past weekend.  :-) 

> 
> There is a possibility that Cybercash-like interfaces could be vulnerable 
> if the dollar value ever exists in a hidden form field, or URL 
> encoded.  But then, that's not IC, is it?  ;-)

Last I played with Cybercash that was all encrypted.  Still, we've not
used Cybercash for several years now;  all of our merchants have moved back
to their regular processors.

-- 

Christopher F. Miller, Publisher                             cfm@maine.com
MaineStreet Communications, Inc         208 Portland Road, Gray, ME  04039
1.207.657.5078                                       http://www.maine.com/
Content management, electronic commerce, internet integration, Debian linux

_______________________________________________
Interchange-users mailing list
Interchange-users@lists.akopia.com
http://lists.akopia.com/mailman/listinfo/interchange-users

References:
- [ic] would that be possible with IC ?
  - From: IC-Admin <interchange@my-school.com>
- Re: [ic] would that be possible with IC ?
  - From: Ryan Hertz <rhertz@gyb.baits.com>

Prev by Date: Re: [ic] Barclays ePDQ
Next by Date: [ic] What do I change to put credit card numbers in database?
Prev by thread: Re: [ic] would that be possible with IC ?
Next by thread: Re: [ic] would that be possible with IC ?
Index(es):
- Date
- Thread