Re: Vuln in Verisign PayFlow Link payment service

From: Keith Royster (keithat_private)
Date: Thu Jan 03 2002 - 19:08:25 PST

Next message: Yanek Korff: "RE: Proftpd SIGSEGV"

Previous message: keith royster: "RE: Vuln in Verisign PayFlow Link payment service"
In reply to: Megan McRee: "Re: Vuln in Verisign PayFlow Link payment service"
Next in thread: Erwin Geirnaert: "RE: Vuln in Verisign PayFlow Link payment service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Perhaps a fix for VeriSign would be to passback a secret code
(configurable
> through the PayFlow Link admin panel) that does not originate from a cart
> input value, but is stored and sent from PayFlow. Then a simple 'if'
> statement in the cart software could weed out the bad along with an e-mail
> sent to the admin.

I suggested this very idea to Verisign when I initially contacted them. My
suggestion was to use the account password as the 'secret code' (perhaps
encrypted?), but any shared secret would do as long as it is only passed
directly from verisign back to the shopping cart app.

Next message: Yanek Korff: "RE: Proftpd SIGSEGV"
Previous message: keith royster: "RE: Vuln in Verisign PayFlow Link payment service"
In reply to: Megan McRee: "Re: Vuln in Verisign PayFlow Link payment service"
Next in thread: Erwin Geirnaert: "RE: Vuln in Verisign PayFlow Link payment service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 04 2002 - 11:03:15 PST