Most, if not all, of the info you are checking against (http_referer, IP, etc) can be spoofed. I know I could use a local proxy like Proxomitron (www.proxomitron.org) to do a search-n-replace on my http_referrer. The IP address would be more difficult, but still doable. ----- Original Message ----- From: "Megan McRee" <meganmcat_private> To: <vuln-devat_private> Cc: <pdoruat_private> Sent: Saturday, January 05, 2002 3:51 AM Subject: Re: Vuln in Verisign PayFlow Link payment service > How about not submitting the credit card from the site...let PayFlow Link > order form gather that information. Set the Pay Flow Link to "Return Post" > and in the scripts from which the order is placed do some http_referer > checking (along with logging the IP and domain and sending the admin > notification) > > > ----- Original Message ----- > From: Doru Petrescu <pdoruat_private> > To: <vuln-devat_private> > Sent: Friday, January 04, 2002 12:38 PM > Subject: Re: Vuln in Verisign PayFlow Link payment service > > > > > > > > > Perhaps a fix for VeriSign would be to passback a secret code > (configurable > > > through the PayFlow Link admin panel) that does not originate from a > cart > > > input value, but is stored and sent from PayFlow. Then a simple 'if' > > > statement in the cart software could weed out the bad along with an > e-mail > > > sent to the admin. That would surely slow someone down if they have to > guess > > > the secret code's input value. > > > > > > THIS IS WRONG!!! > > > > the "secret code" can be hijacked as well if you can afford to make a > > valid payment FIRST. That will require a valid creditcard something that I > > don't have so will reduce a little the nr of people that can attempt to > > crackin. > > > > The SAFE WAY is to have a SECRET PASSPHRASE shared between you and > > VeriSign and use it to ENCODE THE DATA or at least to SIGN THEM. > > > > You can use a simetric encoding scheme or a generate a MD5 signature that > > can be used to verify that the response came from verisign and not someone > > else. also some random data need to be inserted (like the current > > timestamp cancat with a random 10 digits number) to shield from "reply" > > attacks that reuse the same signature. > > > > YES this will require some basic crypto functions to be included in the > > libs they supply, but since this is pure math it is system independent, so > > it should not introduce any problemes. > > > > > > just my 2c ... > > > > A HAPPY NEW YEAR TO ALL OF YOU, > > ------ > > Doru Petrescu > > KappaNet - Senior Software Engineer > > E-mail: pdoruat_private LINUX - the choice of the GNU generation > > > > > > >
This archive was generated by hypermail 2b30 : Sat Jan 05 2002 - 09:01:37 PST