Third party shopping cart

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
SpiderMonkey
Forum Commoner
Posts: 85
Joined: Fri May 05, 2006 4:48 am

Third party shopping cart

Post by SpiderMonkey »

The company where I work was using this when I arrived, instead of collecting credit card numbers themselves.

http://www.mals-e.com/

I've been wondering how secure it is, and I may have found a vunerability but I'm not sure. The way we use it is one of our websites submits a form to this url: http://www.aitsafe.com/cf/pay.cfm and then they collect the billing details. Thing is, the first page doesn't check if theres html in any of your details before printing to the screen. Example:


(you will need to get your own userid to replace XXXXXX, it is free though)

Is this actually a security risk to our customers or am I being paranoid?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

I can't click on the link since the other side could be logging it, and companies are not fans of ad-hoc exploit queries (even if they are harmless).

I would simply suggest sending an email containing details of what occurs. Don't suggest you intentionally tried the link above - some people have issues with even innocent testing, and some countries have laws against it. Request a response, and follow up after a week or two. Throw in a mention of using the service as some incentive. This may or may not effect an action by the way, it may take weeks or *never* to patch it.

So long as the exploit only allows a user to display such back to themselves - i.e. other users seeing the data like an Admin, are not impacted, then it's probably low risk to neglible. Do a google search for similar issues - maybe someone else has seen this?
SpiderMonkey
Forum Commoner
Posts: 85
Joined: Fri May 05, 2006 4:48 am

Post by SpiderMonkey »

Ah, crap, I've sent a load of queries like that. I've even shown my boss it.

And seeing as I've done this over international borders, I may be now classified as an international cyberterrorist. If I no longer reply, you can assume I'm in Gauntanamo Bay :(

Hopefully I can explain the situation via email. Or escape to Wales.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

And seeing as I've done this over international borders, I may be now classified as an international cyberterrorist. If I no longer reply, you can assume I'm in Gauntanamo Bay
hehe :)

Good luck, I wish you the best.
Post Reply