[14996] in bugtraq
QuickCommerce Vulnerability
daemon@ATHENA.MIT.EDU (zoran@UVINC.COM)
Tue May 23 13:02:46 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_00D1_01BFC406.B70E9FA0"
Message-Id: <00d401bfc430$a0e06cc0$0900000a@intranet.int>
Date: Mon, 22 May 2000 15:59:30 -0500
Reply-To: zoran@UVINC.COM
From: zoran@UVINC.COM
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_00D1_01BFC406.B70E9FA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
A vulnerability exists in the entire QuickCommerce E-Commerce solutions =
package. For every item that you want your customer to buy, you are =
required to place the following code on your page...
<FORM METHOD=3DPOST =
ACTION=3D"https://secure.quickcommerce.net/gateway/transact.dll">
<INPUT TYPE=3DHIDDEN NAME=3D"x_Version" VALUE=3D"3.0">
<INPUT TYPE=3DHIDDEN NAME=3D"x_Login" VALUE=3D"???????">
<INPUT TYPE=3DHIDDEN NAME=3D"x_Show_Form" VALUE=3D"PAYMENT_FORM">
<INPUT TYPE=3DHIDDEN NAME=3D"x_Amount" VALUE=3D"3000.00">
<INPUT TYPE=3DHIDDEN NAME=3D"x_Cust_ID" VALUE=3D"??????">
<INPUT TYPE=3DHIDDEN NAME=3D"x_Description" VALUE=3D"EZ All for Bonds =
and S&P 500">
<INPUT TYPE=3DHIDDEN NAME=3D"x_Invoice_Num" VALUE=3D"29910">
<INPUT TYPE=3DSUBMIT FONT-SIZE=3D"-2" VALUE=3D"ONLY $3,000.00">
</FORM>
-------------------------------------------------------------------------=
-
I took out the values for x_Login and x_Cust_ID for obvious reasons. One =
could take this code from a page after viewing the source, and place it =
on a blank (or not) page on their own server. One could change the value =
for x_Amount to 0.00 or 0.01 and get free products. Of course if you =
view the source, you would see that the x_Login and x_Cust_ID values are =
already there, so no need to go hunting for the person's login id and =
such.=20
I thought this was interesting, because QuickCommerce (www.ecx.com/qc) =
boasts that this is secure...
"QuickCommerce is a complete secure transaction processing system." .. =
Just because it is a secure server, does not make it so. So in summary, =
one could take this code from a page using the QuickCommerce system, and =
purchase certain products for nothing, or for very low prices.
Erik Tayler
14x Network Security Inc.
http://www.14x.net
------=_NextPart_000_00D1_01BFC406.B70E9FA0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>A vulnerability exists in the entire =
QuickCommerce=20
E-Commerce solutions package. For every item that you want your customer =
to buy,=20
you are required to place the following code on your =
page...</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3D"Courier New" size=3D1>
<P><FORM METHOD=3DPOST=20
ACTION=3D"https://secure.quickcommerce.net/gateway/transact.dll"></P>
<P><INPUT TYPE=3DHIDDEN NAME=3D"x_Version" VALUE=3D"3.0"></P>
<P><INPUT TYPE=3DHIDDEN NAME=3D"x_Login" VALUE=3D"???????"></P>
<P><INPUT TYPE=3DHIDDEN NAME=3D"x_Show_Form" =
VALUE=3D"PAYMENT_FORM"></P>
<P><INPUT TYPE=3DHIDDEN NAME=3D"x_Amount" VALUE=3D"3000.00"></P>
<P><INPUT TYPE=3DHIDDEN NAME=3D"x_Cust_ID" VALUE=3D"??????"></P>
<P><INPUT TYPE=3DHIDDEN NAME=3D"x_Description" VALUE=3D"EZ All for =
Bonds and=20
S&P 500"></P>
<P><INPUT TYPE=3DHIDDEN NAME=3D"x_Invoice_Num" =
VALUE=3D"29910"></P>
<P><INPUT TYPE=3DSUBMIT FONT-SIZE=3D"-2" VALUE=3D"ONLY =
$3,000.00"></P>
<P></FORM></P>
<P><FONT face=3DArial=20
size=3D2>----------------------------------------------------------------=
----------</FONT></P>
<P><FONT face=3DArial size=3D2>I took out the values for x_Login and =
x_Cust_ID for=20
obvious reasons. One could take this code from a page after viewing the =
source,=20
and place it on a blank (or not) page on their own server. One could =
change the=20
value for x_Amount to 0.00 or 0.01 and get free products. Of course if =
you view=20
the source, you would see that the x_Login and x_Cust_ID values are =
already=20
there, so no need to go hunting for the person's login id and such. =
</FONT></P>
<P><FONT face=3DArial size=3D2>I thought this was interesting, because =
QuickCommerce=20
(<A href=3D"http://www.ecx.com/qc">www.ecx.com/qc</A>) boasts that this =
is=20
secure...</FONT></P>
<P><FONT face=3DArial size=3D2>"QuickCommerce is a complete secure =
transaction=20
processing system." .. Just because it is a secure server, does not make =
it so.=20
So in summary, one could take this code from a page using the =
QuickCommerce=20
system, and purchase certain products for nothing, or for very low=20
prices.</FONT></P>
<P> </P>
<P><FONT face=3DArial size=3D2>Erik Tayler</FONT></P>
<P><FONT face=3DArial size=3D2>14x Network Security Inc.</FONT></P>
<P><FONT face=3DArial=20
size=3D2>http://www.14x.net</FONT></P></FONT></DIV></BODY></HTML>
------=_NextPart_000_00D1_01BFC406.B70E9FA0--
