COMMAND

    QuickCommerce E-Commerce

SYSTEMS AFFECTED

    QuickCommerce E-Commerce

PROBLEM

    Erik  Tayler  found  following.   A  vulnerability  exists  in the
    entire QuickCommerce E-Commerce solutions package. For every  item
    that you want your customer to buy, you are required to place  the
    following code on your page...

        <FORM METHOD=POST ACTION="https://secure.quickcommerce.net/gateway/transact.dll">

        <INPUT TYPE=HIDDEN NAME="x_Version" VALUE="3.0">

        <INPUT TYPE=HIDDEN NAME="x_Login" VALUE="???????">

        <INPUT TYPE=HIDDEN NAME="x_Show_Form" VALUE="PAYMENT_FORM">

        <INPUT TYPE=HIDDEN NAME="x_Amount" VALUE="3000.00">

        <INPUT TYPE=HIDDEN NAME="x_Cust_ID" VALUE="??????">

        <INPUT TYPE=HIDDEN NAME="x_Description" VALUE="EZ All for Bonds and S&P 500">

        <INPUT TYPE=HIDDEN NAME="x_Invoice_Num" VALUE="29910">

        <INPUT TYPE=SUBMIT FONT-SIZE="-2" VALUE="ONLY $3,000.00">

        </FORM>

    Erik took  out the  values for  x_Login and  x_Cust_ID for obvious
    reasons.  One could take this  code from a page after viewing  the
    source,  and  place  it  on  a  blank  (or  not) page on their own
    server.  One could change the  value for x_Amount to 0.00 or  0.01
    and  get  free  products.  Of  course  if you view the source, you
    would  see  that  the  x_Login  and  x_Cust_ID  values are already
    there, so  no need  to go  hunting for  the person's  login id and
    such.

SOLUTION

    Nothing yet.