A security flaw in the itransact.com credit card payment system allows users to change the price of merchandise ordered.
d2ef91a633470fc9cfb5fcddc6efc11dc6bb686462ccd29b78c18ee6d0ea5e3c
From: "Jesse S. Williams" <jesse.williams@xepherys.net>
Subject: A security flaw (itransact.com)
Date: Fri, 14 Dec 2001 22:39:02 -0500
<-- Snip --
I believe I have found a security hole in [the itransact.com] payment accepting scripts.
Currently, the scripts do not require the POST of forms to come from within
your own site (or affiliate sites). If one were to follow a merchants site
to your purchase page, then view the source, copy the forms into a new
document and change the price, they could then use this new form, from any
website, to purchase said products for any price they choose. You may want
to look into this issue.
Sincerely,
Jesse S. Williams