[10373] in bugtraq
Re: EC app security
daemon@ATHENA.MIT.EDU (Stout, Bill)
Wed Apr 28 15:07:25 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <33C5AB9085E1D1119AB90000F89CBC7E05D93C22@PIOUSHQNTMAIL1.PIOS.COM>
Date: Tue, 27 Apr 1999 16:40:51 -0400
Reply-To: "Stout, Bill" <StoutB@PIONEER-STANDARD.COM>
From: "Stout, Bill" <StoutB@PIONEER-STANDARD.COM>
To: BUGTRAQ@NETSPACE.ORG
Well so much for that 'deafening silence' on EC app security. ;^)
I count nine so far discovered vulnerable Catalogs.
Selena Sol's WebStore 1.0 http://www.extropia.com/
<http://www.extropia.com/>
Order Form v1.2 http://www.io.com/~rga/scripts/cgiorder.html
<http://www.io.com/~rga/scripts/cgiorder.html>
Seaside Enterprises EZMall 2000 http://www.ezmall2000.com/
<http://www.ezmall2000.com/>
QuikStore http://www.quikstore.com/ <http://www.quikstore.com/>
PDGSoft's PDG Shopping Cart 1.5 http://www.pdgsoft.com/
<http://www.pdgsoft.com/>
Mercantec's SoftCart http://www.mercantec.com/ <http://www.mercantec.com/>
Perlshop http://www.perlshop.com/ <http://www.perlshop.com/>
Cybercash 2.1.4 - http://www.cybercash.com <http://www.cybercash.com> /
Mountain Network Systems Inc. http://www.mountain-net.com
<http://www.mountain-net.com> /
Bill Stout
-----Original Message-----
From: Stout, Bill
Sent: Monday, April 19, 1999 11:01 AM
To: BUGTRAQ@NETSPACE.ORG
Subject: EC app security
Has anyone done a security audit/analysis of Electronic
Commerce software
packages, such as catalog, database, and payment systems
rolled into one?
There seems to be a deafening silence on what seems to be
the most
vulnerable products. Most bug issues are at the 'bit level'
(O.S., stack,
or services) and not typically at the higher layer
applications or workflow
process.
One experience; searching for database performance info one
day, and pulling
up the 'catalog administrator' page of one (political)
commerce site. Had a
hell of a time convincing the admin that that was a problem,
without
actually changing anything.
Bill Stout
