|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[ISN] E-commerce Security Threats Are Legion
From: cult hero (jericho
dimensional.com)
Date: Thu May 06 1999 - 22:45:55 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Forwarded From: Mark Merkow <Mark.Merkowaexp.com>
http://www.webreference.com/ecommerce/mm/column25/
April 29, 1999
E-commerce Security Threats Are Legion
Protect your site! Security placed in the wrong hands is worse than no
security at all. Learn what's required to keep out of harms way in
implementing and managing your e-commerce site.
"This is like walking down the street and finding a black Hefty bag filled
with 300 credit cards, all valid. Names, addresses, phone numbers, credit
card numbers, email addresses -- it was all there. This is a nightmare."
- Joe Harris' recent comments about the shopping card vulnerabilities he
discovered and reported to the Bugtraq security mailing list.
In last week's Internetnews.com report Shopping Carts Expose Order Data,
Brian McWilliams underscores how vulnerable e-commerce sites truly are and
emphasizes the need for experienced professionals to help create and
manage any serious undertakings in the e-commerce realm.
In case you missed the report, Joe Harris, a senior technical support
professional at Blarg Online Services, discovered that improperly
configured shopping cart software will create a world-readable log file of
transaction data that resides in a directory accessible via the public
Internet.
Upon further investigation, Harris found vulnerabilities in shopping cart
systems from:
* Extropia (WebStore)
* Order Form (a shareware system)
* EZMall 2000 (Seaside Enterprises)
* QuickStore (from QuickStore software)
* PDG Shopping Cart (PDGSoft)
* SoftCart (Mercantec)
"All of these carts could have been secured by following the instructions
that came with the CGI. The reason I found all of these is because the
people did not follow those guidelines." said Harris.
-o-
Subscribe: mail majordomorepsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]