On Thu, Oct 26, 2000 at 11:38:47AM +1100, Graeme Merrall wrote:
> That's bad enough but here's the kicker. The forms posted to it are firstly
> not encrypted. Plain old HTTP for that including username, password and card
> details but they're also posted in the URL query string. Yes that's correct
> - the URL.
> Remember those remote exploits? This is script kiddie styuff. How trivial is
> it to gain a shell and then simply suck back the Apache access log to pull
> out all the query strings? It's some script kiddies wet dream!
Forget the apache logs.
People on the list that work for ISP's have you grepped through
your squid logs for credit card numbers yet :)
> I mailed them ages ago to offer to fix it for them but of course no
> response.
>
--
John
The difference between a good man and a bad one is the
choice of cause - William James
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
