| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 15 Mar 2003 10:16:05 +0000 (GMT) From: Jason Clifford <security@...on.ukpost.com> To: bugtraq@...urityfocus.com Subject: Remote Exploit in Business::OnlinePayment::WorldPay::Junior Business::OnlinePayment::WorldPay::Junior is a perl module providing a backend for perl scripts to manage credit/debit card payments through the WorldPay Select Junior service. I am the author of the module. There is a bug in all version of Business::OnlinePayment::WorldPay::Junior prior to 1.05 (released yesterday) in that the module fails to properly check that the test mode of a transaction returned from WorldPay via their callback facility is the same as that recorded for the transaction before the user was sent to WorldPay to effect the payment. This exposes any script using the module to a HTML page rewriting exploit by the site visitor. Version 1.05 of the module fixes this problem. Note that the module as also been renamed with this version to Business::WorldPay::Junior to avoid namespace conflicts with the Business::OnlinePayment API. Anyone updating to the new version should apply the following regex to any scripts using the module: s/Business::OnlinePayment::WorldPay::Junior/Business::WorldPay::Junior/ Jason Clifford -- UKFSN.ORG Finance Free Software while you surf the 'net http://www.ukfsn.org/ Get the T-Shirt Now
Powered by blists - more mailing lists