From: "Jesse S. Williams" <jesse.williams@xepherys.net>
Subject: A security flaw (itransact.com)
Date: Fri, 14 Dec 2001 22:39:02 -0500
 
<-- Snip --
 
 
I believe I have found a security hole in [the itransact.com] payment accepting scripts.
Currently, the scripts do not require the POST of forms to come from within
your own site (or affiliate sites).  If one were to follow a merchants site
to your purchase page, then view the source, copy the forms into a new
document and change the price, they could then use this new form, from any
website, to purchase said products for any price they choose.  You may want
to look into this issue.


Sincerely,

Jesse S. Williams