From: Lou Poppler <lwp@conch.aa.msen.com>
Date: Mon, 9 Dec 1996 19:12:01 -0800 (PST)
To: cypherpunks@toad.com
Subject: Security problems in recent list spam
Message-ID: <Pine.BSI.3.92.961209220510.8933A-100000@conch.aa.msen.com>
MIME-Version: 1.0
Content-Type: text/plain


I was irritated enough by a recent Commercial spam to the list,
(a message from Sue) that I researched the web pages it points us to.

I note 2 very interesting features in the order form page
(www.steppingstones.com/ordercab.htm)

This form collects various info, and returns a POST request invoking
 ACTION="/cgi-bin/mailto.exe"

It appears that these folks leave themselves open to some abuse,
from anyone creative enough to modify the form slightly!

Also, in the ObSnakeOil department, the form contains this claim:
> You are ordering via a secure server which scrambles your credit card
> information to prevent it from being intercepted.  If, however, you are
> still not comfortable sending your credit card number on line, please
> fill out the above order form without any payment information and either
> call us toll free at 1-800-585-1118 (outside the US, call (203) 730-2220)
...

Now, it appears that this form returns a non-encrypted POST request
to their server, and furthermore the action taken by the server
is to email all the data to the ultimate business recipient.
Thus the credit card info would be sent through the net TWICE as
plaintext.