[Shirkdog Security Advisory SHK-001]

Title:
-------
Payflow Link Default Config may lead to Hidden Field Modification

Description of Application:
------------------------------------
http://verisign.com/products-services/payment-processing/online-payment/payflow-link/index.html
(careful with the line wrap)

Payflow Link is an easy to use payment form that can be added to
any website with little or no installation or configuration.
Customers can simply click on a link to be directed to a secure
order form hosted by VeriSign and make purchases with a variety
of payments methods.

Vulnerability:
-----------------
In the default configuration of Payflow Link, the hidden field
"AMOUNT" can be changed to whatever dollar amount and passed to
the secure PayFlow Link webpage. Also, there is no verification of
the source of the POST; therefore anyone can submit the HIDDEN
field values from anywhere without verification of the originating
IP.

Impact:
----------
An attacker can change the hidden field to any dollar amount and
misrepresent purchases for businesses providing products or services.

Risk Level:
--------------
Medium

Solution:
------------
Provided by VeriSign
(The Accepted URL feature is disclosed in the PayFlow Link
documentation but not enabled by default and not a part of the
HTML used to setup PayFlow Link.)

What is an Accepted URL?

The Accepted URL security feature stops fraudsters from changing
the dollar value of amounts being passed to or from Payflow Link.
When a customer places an order, Payflow Link compares the
originating Web site against the domain names that you specify in
the Accepted URL fields (typically, your Web store). If the Web
site from which the transaction originates is not one of the
specified domains, then the order is rejected.

If you leave the Accepted URL fields blank, Payflow Link will not
authenticate the originating URL. This means that, even though
you are a registered Payflow Link user, your URL is not
automatically protected with domain-checking security.

Note: The Accepted URL feature is designed to assist you, but is
not a strong anti-fraud tool. If you are concerned about this issue,
be sure to use VeriSign Manager to verify the dollar amount of each
transaction.

How do I add Accepted URLs?

To add Accepted URLs, follow these steps:
Go to https://manager.verisign.com and log on to VeriSign Manager.
Select Account Info > Payflow Link Info. On the Edit Configuration
page, scroll down to view the Security Options. Under Accepted URL
(numbered 1 to 5), add Web addresses (URLs) as needed.

Other Security Information:
---------------------------------------------
http://www.verisign.com/support/payflow/fraud/fraudPrevention.html

Notification and Response:
------------------------------------
Initial Notification to Vendor: 11/19/2004
Vender Response: 11/22/2004 with the solution


[Shirkdog Security]
http://www.shirkdog.us

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/