[ic] would that be possible with IC ?
Tue, 6 Mar 2001 09:09:50 -0500
On Tue, Mar 06, 2001 at 01:05:28AM -0700, Ryan Hertz wrote:
> >I haven't the experience to know this, but could IC be abused
> >the way this article describes other shopping cart applications can ?
It would be best to summarize rather than post links. :-) That way
we can address your interpretation rather than our interpretation. I
might see an entirely different abuse than you!
> I seriously doubt it. Although I've heard about that type of hack many
> years ago, I never imagined that anyone would write software that would
> susceptible to that type of exploit. AFAIK Interchange never asks the
> literal page for the price, it looks in its database to match the price to
> the item ordered. (duh)
If that means keying in the price of an item, yes, one could mangle minivend
so it would do that; but not the stock install.
Yahoo stores last year let one enter the price into a get string, not even
a hidden string. At least the seed catalog store I use did. I noted that
that convenient order entry is not available this year when I orderd this
past weekend. :-)
> There is a possibility that Cybercash-like interfaces could be vulnerable
> if the dollar value ever exists in a hidden form field, or URL
> encoded. But then, that's not IC, is it? ;-)
Last I played with Cybercash that was all encrypted. Still, we've not
used Cybercash for several years now; all of our merchants have moved back
to their regular processors.
Christopher F. Miller, Publisher email@example.com
MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039
Content management, electronic commerce, internet integration, Debian linux