Well so much for that 'deafening silence' on EC app security. ;^) I count nine so far discovered vulnerable Catalogs. Selena Sol's WebStore 1.0 http://www.extropia.com/ <http://www.extropia.com/> Order Form v1.2 http://www.io.com/~rga/scripts/cgiorder.html <http://www.io.com/~rga/scripts/cgiorder.html> Seaside Enterprises EZMall 2000 http://www.ezmall2000.com/ <http://www.ezmall2000.com/> QuikStore http://www.quikstore.com/ <http://www.quikstore.com/> PDGSoft's PDG Shopping Cart 1.5 http://www.pdgsoft.com/ <http://www.pdgsoft.com/> Mercantec's SoftCart http://www.mercantec.com/ <http://www.mercantec.com/> Perlshop http://www.perlshop.com/ <http://www.perlshop.com/> Cybercash 2.1.4 - http://www.cybercash.com <http://www.cybercash.com> / Mountain Network Systems Inc. http://www.mountain-net.com <http://www.mountain-net.com> / Bill Stout -----Original Message----- From: Stout, Bill Sent: Monday, April 19, 1999 11:01 AM To: BUGTRAQat_private Subject: EC app security Has anyone done a security audit/analysis of Electronic Commerce software packages, such as catalog, database, and payment systems rolled into one? There seems to be a deafening silence on what seems to be the most vulnerable products. Most bug issues are at the 'bit level' (O.S., stack, or services) and not typically at the higher layer applications or workflow process. One experience; searching for database performance info one day, and pulling up the 'catalog administrator' page of one (political) commerce site. Had a hell of a time convincing the admin that that was a problem, without actually changing anything. Bill Stout
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:02 PDT