Page 1 of 1

Third party shopping cart

Posted: Tue Jun 20, 2006 4:22 am
by SpiderMonkey
The company where I work was using this when I arrived, instead of collecting credit card numbers themselves.

http://www.mals-e.com/

I've been wondering how secure it is, and I may have found a vunerability but I'm not sure. The way we use it is one of our websites submits a form to this url: http://www.aitsafe.com/cf/pay.cfm and then they collect the billing details. Thing is, the first page doesn't check if theres html in any of your details before printing to the screen. Example:


(you will need to get your own userid to replace XXXXXX, it is free though)

Is this actually a security risk to our customers or am I being paranoid?

Posted: Tue Jun 20, 2006 6:36 am
by Maugrim_The_Reaper
I can't click on the link since the other side could be logging it, and companies are not fans of ad-hoc exploit queries (even if they are harmless).

I would simply suggest sending an email containing details of what occurs. Don't suggest you intentionally tried the link above - some people have issues with even innocent testing, and some countries have laws against it. Request a response, and follow up after a week or two. Throw in a mention of using the service as some incentive. This may or may not effect an action by the way, it may take weeks or *never* to patch it.

So long as the exploit only allows a user to display such back to themselves - i.e. other users seeing the data like an Admin, are not impacted, then it's probably low risk to neglible. Do a google search for similar issues - maybe someone else has seen this?

Posted: Tue Jun 20, 2006 6:40 am
by SpiderMonkey
Ah, crap, I've sent a load of queries like that. I've even shown my boss it.

And seeing as I've done this over international borders, I may be now classified as an international cyberterrorist. If I no longer reply, you can assume I'm in Gauntanamo Bay :(

Hopefully I can explain the situation via email. Or escape to Wales.

Posted: Tue Jun 20, 2006 7:22 am
by matthijs
And seeing as I've done this over international borders, I may be now classified as an international cyberterrorist. If I no longer reply, you can assume I'm in Gauntanamo Bay
hehe :)

Good luck, I wish you the best.