Bugtraq mailing list archives
fixed: Re: NON-Secure Credit card info transfer from time.com/pathfinder.com
From: Bob Niederman <btrq () bob-n com>
Date: Thu, 25 Oct 2001 12:19:09 -0500 (CDT)
This has been fixed, around 18 Oct. The operative line of HTML now reads: <form METHOD="post" action="https://cgi.timeinc.net/cgi-bin/magsubs/cc/booksubs/tdspecialed01"> Ethereal confirms all traffic is https. - Bob Niederman On Tue, 16 Oct 2001, Bob Niederman wrote:
When you go to www.time.com and click on "Order This Special Issue" (over the picture of the Time cover showing the second crash into the World Trade center), you are taken to: https://www.pathfinder.com/subs/books/forms/td/tdspecialed01.html The problem is that while the page https://www.pathfinder.com/subs/books/forms/td/tdspecialed01.html itself is secure, as noted by the "https" at the beginning of the URL, when you click the "Submit Order" button, the html in that page reading: <FORM METHOD="post" action="http://cgi.pathfinder.com/cgi-bin/magsubs/cc/booksubs/tdspecialed01"> sends it to a non-secure server, as noted by the "http:" instead of the "https:" in the preceding URL. This causes the credit card number to cross the internet in un-encrypted form. - Bob Niederman Fight UCITA! http://www.4cite.org, Free Dmitry Skylarov. Repeal DMCA. http://freskylarov.org http://eff.org
Current thread:
- NON-Secure Credit card info transfer from time.com/pathfinder.com Bob Niederman (Oct 17)
- fixed: Re: NON-Secure Credit card info transfer from time.com/pathfinder.com Bob Niederman (Oct 25)