QuickCommerce Vulnerability

[zoran () UVINC COM (zoran () UVINC COM)]

A vulnerability exists in the entire QuickCommerce E-Commerce solutions package. For every item that you want your 
customer to buy, you are required to place the following code on your page...

<FORM METHOD=POST ACTION="https://secure.quickcommerce.net/gateway/transact.dll";>

<INPUT TYPE=HIDDEN NAME="x_Version" VALUE="3.0">

<INPUT TYPE=HIDDEN NAME="x_Login" VALUE="???????">

<INPUT TYPE=HIDDEN NAME="x_Show_Form" VALUE="PAYMENT_FORM">

<INPUT TYPE=HIDDEN NAME="x_Amount" VALUE="3000.00">

<INPUT TYPE=HIDDEN NAME="x_Cust_ID" VALUE="??????">

<INPUT TYPE=HIDDEN NAME="x_Description" VALUE="EZ All for Bonds and S&P 500">

<INPUT TYPE=HIDDEN NAME="x_Invoice_Num" VALUE="29910">

<INPUT TYPE=SUBMIT FONT-SIZE="-2" VALUE="ONLY $3,000.00">

</FORM>

--------------------------------------------------------------------------

I took out the values for x_Login and x_Cust_ID for obvious reasons. One could take this code from a page after viewing 
the source, and place it on a blank (or not) page on their own server. One could change the value for x_Amount to 0.00 
or 0.01 and get free products. Of course if you view the source, you would see that the x_Login and x_Cust_ID values 
are already there, so no need to go hunting for the person's login id and such. 

I thought this was interesting, because QuickCommerce (www.ecx.com/qc) boasts that this is secure...

"QuickCommerce is a complete secure transaction processing system." .. Just because it is a secure server, does not 
make it so. So in summary, one could take this code from a page using the QuickCommerce system, and purchase certain 
products for nothing, or for very low prices.

Erik Tayler

14x Network Security Inc.

http://www.14x.net