itransact.txt

2001-12-17T00:00:00
ID PACKETSTORM:25545
Type packetstorm
Reporter Jesse S. Williams
Modified 2001-12-17T00:00:00

Description

                                        
                                            `From: "Jesse S. Williams" <jesse.williams@xepherys.net>  
Subject: A security flaw (itransact.com)  
Date: Fri, 14 Dec 2001 22:39:02 -0500  
  
<-- Snip --  
  
  
I believe I have found a security hole in [the itransact.com] payment accepting scripts.  
Currently, the scripts do not require the POST of forms to come from within  
your own site (or affiliate sites). If one were to follow a merchants site  
to your purchase page, then view the source, copy the forms into a new  
document and change the price, they could then use this new form, from any  
website, to purchase said products for any price they choose. You may want  
to look into this issue.  
  
  
Sincerely,  
  
Jesse S. Williams  
`