Bugtraq mailing list archives
Re: Another hole in Cart32
From: aclover () 1VALUE COM (Clover Andrew)
Date: Tue, 23 May 2000 20:30:55 +0200
sert sert <sert_is () HOTMAIL COM> wrote:
They seem to be relying on the client to properly use the security options available in the package.
The options they outline *do not* represent any level of security, "properly" used or not. Anyone can get around the POST restriction by simply creating a form themselves, and anyone can get around the Referer check by connecting to the HTTP server either by hand or using a non-web-browser tool and sending the Referer header themselves. Worse, the Referer check will break functionality on any browser that does not support, or has been configured not to give (for privacy reasons) referring page information. A security policy that relies on trusting the user agent is no security policy at all. With a shopping cart made entirely from client-side JavaScript, such exploits are understandable. When it's a server-side set of scripts, relying on trust is inexcusable. Michael Form <mike () SECTOR001 ORG> suggested:
all Cart32 users should skim through the orders to see any noticeable price errors.
Indeed. High-tech! E-commerce!! Let's go!!! -- Andrew Clover Technical Support 1VALUE.com AG
Current thread:
- Re: Another hole in Cart32 sert sert (May 22)
- Qpopper 2.53 remote problem, user can gain gid=mail Prizm (May 23)
- Re: Qpopper 2.53 remote problem, user can gain gid=mail Jose Nazario (May 24)
- Re: Qpopper 2.53 remote problem, user can gain gid=mail Qpopper Support (May 24)
- Re: Qpopper 2.53 remote problem, user can gain gid=mail Sebastian (May 25)
- RFP2K05 - NetProwler "Fragmentation" Issue AXENT Security Team (May 23)
- Re: Another hole in Cart32 CDI (May 23)
- <Possible follow-ups>
- Re: Another hole in Cart32 Clover Andrew (May 23)
- Re: Another hole in Cart32 Justin King (May 24)
- Qpopper 2.53 remote problem, user can gain gid=mail Prizm (May 23)