[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VERISIGN "PAYFLOW LINK" PAYMENT SERVICE SECURITY FAILURE

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: VERISIGN "PAYFLOW LINK" PAYMENT SERVICE SECURITY FAILURE
From: David Frascone <dave@xxxxxxxxxxxx>
Date: Sat, 5 Jan 2002 19:21:53 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mail-followup-to: bugtraq@xxxxxxxxxxxxxxxxx
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.3.25i

It really depends on the application.  The cart I maintain gets the info
back from verisign via the post, *and* an e-mailed recript.  Also, we
routinely verify large orders at verisign directly.

I'll admit that it's a hole, I just don't think it's a very big one.


Just my $.02 worth,


Dave

On Friday, 04 Jan 2002, keith royster wrote:
> PAYFLOW LINK SERVICE DESCRIPTION: The final checkout page of various online 
> shopping cart applications presents the shopper with a form asking for credit 
> card acct#, exp date, etc.  When the shopper submits the form, the data is sent 
> directly to the vendor's PayFlow Link account at Verisign for validation.  If 
> the credit card information is validated, Verisign authorizes payment and 
> submits the data back to the vendors shopping cart application.  When the 
> vendor's shopping app receives this data, it assumes payment was authorized and 
> finalizes the order for the vendor to fill and ship it.

Prev by Date: Re: gzip bug w/ patch..
Next by Date: Format string bug in awhttpd (Re: [AP] awhttpd v2.2 local DoS)
Previous by thread: VERISIGN "PAYFLOW LINK" PAYMENT SERVICE SECURITY FAILURE
Next by thread: Security Advisory for Bugzilla v2.15 (cvs20020103) and older
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilotco.