[ic] would that be possible with IC ?

cfm@maine.com cfm@maine.com
Tue, 6 Mar 2001 09:09:50 -0500


On Tue, Mar 06, 2001 at 01:05:28AM -0700, Ryan Hertz wrote:
> 
> >
> >I haven't the experience to know this, but could IC be abused
> >the way this article describes other shopping cart applications can ?
> >
> >http://www.zdnet.com/zdnn/stories/news/0,4586,2692337,00.html?chkpt=zdnn_rt 
> >_latest

It would be best to summarize rather than post links.  :-)  That way
we can address your interpretation rather than our interpretation.  I
might see an entirely different abuse than you!

> >
> >BF
> 
> I seriously doubt it.  Although I've heard about that type of hack many 
> years ago, I never imagined that anyone would write software that would 
> susceptible to that type of exploit.  AFAIK Interchange never asks the 
> literal page for the price, it looks in its database to match the price to 
> the item ordered. (duh)

If that means keying in the price of an item, yes, one could mangle minivend
so it would do that; but not the stock install.

Yahoo stores last year let one enter the price into a get string, not even
a hidden string.  At least the seed catalog store I use did.  I noted that
that convenient order entry is not available this year when I orderd this
past weekend.  :-) 

> 
> There is a possibility that Cybercash-like interfaces could be vulnerable 
> if the dollar value ever exists in a hidden form field, or URL 
> encoded.  But then, that's not IC, is it?  ;-)

Last I played with Cybercash that was all encrypted.  Still, we've not
used Cybercash for several years now;  all of our merchants have moved back
to their regular processors.

-- 

Christopher F. Miller, Publisher                             cfm@maine.com
MaineStreet Communications, Inc         208 Portland Road, Gray, ME  04039
1.207.657.5078                                       http://www.maine.com/
Content management, electronic commerce, internet integration, Debian linux