[22997] in bugtraq
fixed: Re: NON-Secure Credit card info transfer from time.com/pathfinder.com
daemon@ATHENA.MIT.EDU (Bob Niederman)
Thu Oct 25 15:02:14 2001
Date: Thu, 25 Oct 2001 12:19:09 -0500 (CDT)
From: Bob Niederman <btrq@bob-n.com>
To: bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.10.10110161922300.4842-100000@bob-n.com>
Message-ID: <Pine.LNX.4.10.10110251216420.1018-100000@bob-n.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
This has been fixed, around 18 Oct. The operative line of HTML now reads:
<form METHOD="post"
action="https://cgi.timeinc.net/cgi-bin/magsubs/cc/booksubs/tdspecialed01">
Ethereal confirms all traffic is https.
- Bob Niederman
On Tue, 16 Oct 2001, Bob Niederman wrote:
>
> When you go to www.time.com and click on "Order This Special Issue" (over
> the picture of the Time cover showing the second crash into the World
> Trade center), you are taken to:
>
> https://www.pathfinder.com/subs/books/forms/td/tdspecialed01.html
>
>
>
> The problem is that while the page
>
> https://www.pathfinder.com/subs/books/forms/td/tdspecialed01.html
>
> itself is secure, as noted by the "https" at the beginning of the URL,
> when you click the "Submit Order" button, the html in that page
> reading:
>
> <FORM METHOD="post"
> action="http://cgi.pathfinder.com/cgi-bin/magsubs/cc/booksubs/tdspecialed01">
>
> sends it to a non-secure server, as noted by the "http:" instead of the
> "https:" in the preceding URL.
>
> This causes the credit card number to cross the internet in
> un-encrypted form.
>
> - Bob Niederman
>
> Fight UCITA! http://www.4cite.org,
>
> Free Dmitry Skylarov. Repeal DMCA. http://freskylarov.org
> http://eff.org
>
>
>
>
