Vulnerability Development mailing list archives
Re: Vuln in Verisign PayFlow Link payment service
From: "Megan McRee" <meganmc () mail ru>
Date: Sat, 5 Jan 2002 11:51:24 +0300
How about not submitting the credit card from the site...let PayFlow Link order form gather that information. Set the Pay Flow Link to "Return Post" and in the scripts from which the order is placed do some http_referer checking (along with logging the IP and domain and sending the admin notification) ----- Original Message ----- From: Doru Petrescu <pdoru () kappa ro> To: <vuln-dev () securityfocus com> Sent: Friday, January 04, 2002 12:38 PM Subject: Re: Vuln in Verisign PayFlow Link payment service
Perhaps a fix for VeriSign would be to passback a secret code
(configurable
through the PayFlow Link admin panel) that does not originate from a
cart
input value, but is stored and sent from PayFlow. Then a simple 'if' statement in the cart software could weed out the bad along with an
sent to the admin. That would surely slow someone down if they have to
guess
the secret code's input value.THIS IS WRONG!!! the "secret code" can be hijacked as well if you can afford to make a valid payment FIRST. That will require a valid creditcard something that I don't have so will reduce a little the nr of people that can attempt to crackin. The SAFE WAY is to have a SECRET PASSPHRASE shared between you and VeriSign and use it to ENCODE THE DATA or at least to SIGN THEM. You can use a simetric encoding scheme or a generate a MD5 signature that can be used to verify that the response came from verisign and not someone else. also some random data need to be inserted (like the current timestamp cancat with a random 10 digits number) to shield from "reply" attacks that reuse the same signature. YES this will require some basic crypto functions to be included in the libs they supply, but since this is pure math it is system independent, so it should not introduce any problemes. just my 2c ... A HAPPY NEW YEAR TO ALL OF YOU, ------ Doru Petrescu KappaNet - Senior Software Engineer E-mail: pdoru () kappa ro LINUX - the choice of the GNU generation
Current thread:
- Vuln in Verisign PayFlow Link payment service Keith Royster (Jan 03)
- Re: Vuln in Verisign PayFlow Link payment service Megan McRee (Jan 03)
- Re: Vuln in Verisign PayFlow Link payment service jon schatz (Jan 03)
- Re: Vuln in Verisign PayFlow Link payment service Doru Petrescu (Jan 04)
- Re: Vuln in Verisign PayFlow Link payment service Megan McRee (Jan 05)
- Re: Vuln in Verisign PayFlow Link payment service Keith Royster (Jan 05)
- Re: Vuln in Verisign PayFlow Link payment service Megan McRee (Jan 05)
- Re: Vuln in Verisign PayFlow Link payment service Megan McRee (Jan 03)
- Re: Vuln in Verisign PayFlow Link payment service Keith Royster (Jan 04)
- <Possible follow-ups>
- RE: Vuln in Verisign PayFlow Link payment service Erwin Geirnaert (Jan 04)
- RE: Vuln in Verisign PayFlow Link payment service keith royster (Jan 04)