Learn to follow orders dammit!

So the other day I found a site (Patriot Outfitters, actually) that had an SSL flaw.  The site works great if you log in and go shopping; but if you go shopping and then create an account at check-out, it fails to use SSL encryption to submit card information and fails to ask for CVV2 verification.  For those wanting to shop there, just create an account first and log in, then go shopping; your card will go over SSL that way.

I e-mailed them with no response so far.  So today I called them!  The girl that answered immediately gave me her supervisor, who quickly pointed out that they have a certificate and believe it works; but he was also fast to pass me on to the IT director, with no excuses.  I have since forwarded instructions to reproduce the flaw to the IT guy, along with PCAP dumps (from Wireshark) and screenshots of the process.

I expect a quick acknowledgment of the problem, and hopefully a fix soon; though fixing Web applications often proves difficult.  I mentioned that my employer can render further assistance if they want me to forward contact information along; really I hope to pull them in for a penetration test and any services necessary to reach PCI DSS compliance.  I don’t know if they currently meet PCI DSS compliance, of course; but if all goes well we’ll find out and fix it if necessary.

On a related note, one of my coworkers says the compression shirts and shorts work really well and make running 500 miles in the desert with a 50 pound backpack full of gear a lot more tolerable.  I guess I should pick up one or two sets later for when I’m training.  Reviews will go here of course; any further information about the broken Web site … will not go here, come on, nobody needs to know that.


~ by John Moser on November 5, 2007.

%d bloggers like this: