[Shirkdog Security Advisory SHK-001]
Title: ------- Payflow Link Default Config may lead to Hidden Field Modification
Description of Application: ------------------------------------ http://verisign.com/products-services/payment-processing/online-payment/payflow-link/index.html (careful with the line wrap)
Payflow Link is an easy to use payment form that can be added to any website with little or no installation or configuration. Customers can simply click on a link to be directed to a secure order form hosted by VeriSign and make purchases with a variety of payments methods.
Vulnerability: ----------------- In the default configuration of Payflow Link, the hidden field "AMOUNT" can be changed to whatever dollar amount and passed to the secure PayFlow Link webpage. Also, there is no verification of the source of the POST; therefore anyone can submit the HIDDEN field values from anywhere without verification of the originating IP.
Impact: ---------- An attacker can change the hidden field to any dollar amount and misrepresent purchases for businesses providing products or services.
Risk Level: -------------- Medium
Solution: ------------ Provided by VeriSign (The Accepted URL feature is disclosed in the PayFlow Link documentation but not enabled by default and not a part of the HTML used to setup PayFlow Link.)
What is an Accepted URL?
The Accepted URL security feature stops fraudsters from changing the dollar value of amounts being passed to or from Payflow Link. When a customer places an order, Payflow Link compares the originating Web site against the domain names that you specify in the Accepted URL fields (typically, your Web store). If the Web site from which the transaction originates is not one of the specified domains, then the order is rejected.
If you leave the Accepted URL fields blank, Payflow Link will not authenticate the originating URL. This means that, even though you are a registered Payflow Link user, your URL is not automatically protected with domain-checking security.
Note: The Accepted URL feature is designed to assist you, but is not a strong anti-fraud tool. If you are concerned about this issue, be sure to use VeriSign Manager to verify the dollar amount of each transaction.
How do I add Accepted URLs?
To add Accepted URLs, follow these steps: Go to https://manager.verisign.com and log on to VeriSign Manager. Select Account Info > Payflow Link Info. On the Edit Configuration page, scroll down to view the Security Options. Under Accepted URL (numbered 1 to 5), add Web addresses (URLs) as needed.
Other Security Information: --------------------------------------------- http://www.verisign.com/support/payflow/fraud/fraudPrevention.html
Notification and Response: ------------------------------------ Initial Notification to Vendor: 11/19/2004 Vender Response: 11/22/2004 with the solution
[Shirkdog Security] http://www.shirkdog.us
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
