The company where I work was using this when I arrived, instead of collecting credit card numbers themselves.
http://www.mals-e.com/
I've been wondering how secure it is, and I may have found a vunerability but I'm not sure. The way we use it is one of our websites submits a form to this url: http://www.aitsafe.com/cf/pay.cfm and then they collect the billing details. Thing is, the first page doesn't check if theres html in any of your details before printing to the screen. Example:
(you will need to get your own userid to replace XXXXXX, it is free though)
Is this actually a security risk to our customers or am I being paranoid?
Third party shopping cart
Moderator: General Moderators
-
SpiderMonkey
- Forum Commoner
- Posts: 85
- Joined: Fri May 05, 2006 4:48 am
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
I can't click on the link since the other side could be logging it, and companies are not fans of ad-hoc exploit queries (even if they are harmless).
I would simply suggest sending an email containing details of what occurs. Don't suggest you intentionally tried the link above - some people have issues with even innocent testing, and some countries have laws against it. Request a response, and follow up after a week or two. Throw in a mention of using the service as some incentive. This may or may not effect an action by the way, it may take weeks or *never* to patch it.
So long as the exploit only allows a user to display such back to themselves - i.e. other users seeing the data like an Admin, are not impacted, then it's probably low risk to neglible. Do a google search for similar issues - maybe someone else has seen this?
I would simply suggest sending an email containing details of what occurs. Don't suggest you intentionally tried the link above - some people have issues with even innocent testing, and some countries have laws against it. Request a response, and follow up after a week or two. Throw in a mention of using the service as some incentive. This may or may not effect an action by the way, it may take weeks or *never* to patch it.
So long as the exploit only allows a user to display such back to themselves - i.e. other users seeing the data like an Admin, are not impacted, then it's probably low risk to neglible. Do a google search for similar issues - maybe someone else has seen this?
-
SpiderMonkey
- Forum Commoner
- Posts: 85
- Joined: Fri May 05, 2006 4:48 am
Ah, crap, I've sent a load of queries like that. I've even shown my boss it.
And seeing as I've done this over international borders, I may be now classified as an international cyberterrorist. If I no longer reply, you can assume I'm in Gauntanamo Bay
Hopefully I can explain the situation via email. Or escape to Wales.
And seeing as I've done this over international borders, I may be now classified as an international cyberterrorist. If I no longer reply, you can assume I'm in Gauntanamo Bay
Hopefully I can explain the situation via email. Or escape to Wales.