荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: bstone (Less time in bbs), 信区: Hacker
标 题: Authorize.net calls passwords in clear text as pa
发信站: BBS 荔园晨风站 (Sun Aug 6 19:46:16 2000), 转信
发信人: scz (小四), 信区: Security
标 题: Authorize.net calls passwords in clear text as pa
发信站: 武汉白云黄鹤站 (Fri Aug 4 20:42:44 2000), 站内信件
Recently we switched to authorize.net for credit card processing.
After a bit of work trying to fix a processing problem we were having.
I noticed that our login and password were in clear text as part of the
URL.
I contacted authorize.net regarding my concerns and there response was:
Date: Mon, 10 Jul 2000 08:41:11 -0700
Greetings from Authorize.Net!
Thank you for taking the time to write to us. I sent this issue up to the
developers, and here is their response:
This aspect of the system seems to be a security risk at first glance,
but
upon further explanation, it becomes clear that this is no more an
issue than anything else that can be accessed on someone's machine. He is
pointing out the fact that the password and the login can be found
on a machine in the URL. This is absolutely true. But why would someone
without permission have access to this person's computer? Is this
person accessing his virtual terminal from the public library? It's true
that if a person is looking over this person's shoulder as they login to
the
merchant menu, then they are at risk. But that same security risk applies
to any confidential papers that may be stored on that person's
computer, as well as any saved passwords for their banking, their email,
etc. To avoid having this be a problem, they must make sure their
computer is in a safe area that isn't accessed by anyone whom they
wouldn't
want to know the password.
Thank you for contacting our customer service group. Please let us know
if
there is anything we can do to help you in the future.
Greg
Authorize.Net
Customer Support
The problem:
Example:
--------------------------------------
Taken from the page right after the login screen.
HREF="minterface.dll?statement&x_login=mylogin&x_password=mypass"
TARGET="main">
HREF="minterface.dll?settingsmenu&x_login=mylogin&x_password=mypass"
TARGET="main">
HREF="/common/comingsoon.html" TARGET="main">
HREF="minterface.dll?support&x_login=mylogin&x_password=mypass"
TARGET="main">
----------------------------------------------------
After some looking around I found that Netscape's netscape.hst file could
be searched
for "minterface.dll" with a text editor. It also contains the login and
password in clear text.
Example:
-----------------------------------------------------------------------
Taken from netscape.hst.
Batch Reports
https://secure.authorize.net/Interface/minterface.dll?batchreportmenu&x_login=my
login&x_password=mypass
-----------------------------------------------------------------------
Under Internet Explorer the same thing can be obtained looking
through the history.
This means:
Anyone with knowledge of what machine is used to login to authorize.net
can obtain the clear text username and password. Another example would be
something
like the I-LOVE-YOU virus spread via email. This could then be used to
send back Netscape and Internet Explorer history files to an attacker.
I wanted to take the time to write something aimed at outlook and or
internet explorer.
To show how this could easily be exploited. Unfortunately I don't have the
time.
Possible Solutions:
Use the POST method instead of GET to pass arguments to cgi programs.
Or some form of encryption on the password and other sensitive data.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
John C. Hennessy johnh@charm.net
Systems Administrator 410-558-3579
Charm Net, Inc. http://www.charm.net
"Do just once what others say you can't do, and you will never pay
attention to their limitations again." - James R. Cook
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--
也许有一天,他再从海上蓬蓬的雨点中升起,
飞向西来,再形成一道江流,再冲倒两旁的石壁,
再来寻夹岸的桃花。然而,我不敢说来生,也不敢信来生......
※ 来源:.武汉白云黄鹤站 bbs.whnet.edu.cn.[FROM: 203.207.226.124]
--------------------------------------------------------------------------------
分类讨论区 全部讨论区 上一篇 本讨论区 回文章 下一篇
--
☆ 来源:.BBS 荔园晨风站 bbs.szu.edu.cn.[FROM: bbs@192.168.28.106]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店