[ISN] E-commerce Security Threats Are Legion

From: cult hero (jerichoat_private)
Date: Thu May 06 1999 - 20:45:55 PDT

  • Next message: cult hero: "[ISN] DoD Net Overhaul to Thwart Hackers."

    Forwarded From: Mark Merkow <Mark.Merkowat_private>
    
    http://www.webreference.com/ecommerce/mm/column25/
    
    April 29, 1999
    E-commerce Security Threats Are Legion
    
    Protect your site! Security placed in the wrong hands is worse than no
    security at all. Learn what's required to keep out of harms way in
    implementing and managing your e-commerce site. 
                                          
    "This is like walking down the street and finding a black Hefty bag filled
    with 300 credit cards, all valid. Names, addresses, phone numbers, credit
    card numbers, email addresses -- it was all there. This is a nightmare." 
    - Joe Harris' recent comments about the shopping card vulnerabilities he
    discovered and reported to the Bugtraq security mailing list. 
      
    In last week's Internetnews.com report Shopping Carts Expose Order Data,
    Brian McWilliams underscores how vulnerable e-commerce sites truly are and
    emphasizes the need for experienced professionals to help create and
    manage any serious undertakings in the e-commerce realm. 
                                          
    In case you missed the report, Joe Harris, a senior technical support
    professional at Blarg Online Services, discovered that improperly
    configured shopping cart software will create a world-readable log file of
    transaction data that resides in a directory accessible via the public
    Internet. 
                                          
    Upon further investigation, Harris found vulnerabilities in shopping cart
    systems from: 
      * Extropia (WebStore)
      * Order Form (a shareware system)
      * EZMall 2000 (Seaside Enterprises)
      * QuickStore (from QuickStore software)
      * PDG Shopping Cart (PDGSoft)
      * SoftCart (Mercantec)
        
    "All of these carts could have been secured by following the instructions
    that came with the CGI. The reason I found all of these is because the
    people did not follow those guidelines." said Harris. 
                                          
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:23:03 PDT