[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security problems in recent list spam

To: [email protected]
Subject: Security problems in recent list spam
From: Lou Poppler <[email protected]>
Date: Mon, 9 Dec 1996 22:11:46 -0500 (EST)
Reply-To: Lou Poppler <[email protected]>
Sender: [email protected]

I was irritated enough by a recent Commercial spam to the list,
(a message from Sue) that I researched the web pages it points us to.

I note 2 very interesting features in the order form page
(www.steppingstones.com/ordercab.htm)

This form collects various info, and returns a POST request invoking
 ACTION="/cgi-bin/mailto.exe"

It appears that these folks leave themselves open to some abuse,
from anyone creative enough to modify the form slightly!

Also, in the ObSnakeOil department, the form contains this claim:
> You are ordering via a secure server which scrambles your credit card
> information to prevent it from being intercepted.  If, however, you are
> still not comfortable sending your credit card number on line, please
> fill out the above order form without any payment information and either
> call us toll free at 1-800-585-1118 (outside the US, call (203) 730-2220)
...

Now, it appears that this form returns a non-encrypted POST request
to their server, and furthermore the action taken by the server
is to email all the data to the ultimate business recipient.
Thus the credit card info would be sent through the net TWICE as
plaintext.

Prev by Date: FIPS Meeting Material
Next by Date: Re: The Advent of Netwar
Prev by thread: FIPS Meeting Material
Next by thread: Re: Redlining
Index(es):
- Date
- Thread