Jump to content

Security Alert: Possible Cross-Site Request Forgery (CSRF)


VARUNISAC

Recommended Posts

Welcome VARUNISAC! Glad to see you made it to the forums.

CubeCart uses a security token for every HTML form that is part of a web page. When submitting the form's data back to CubeCart, the security token is included in that data and is checked against what CubeCart last used and expects it to be. If different, or missing, CubeCart includes this alert on the next page sent to the browser.

For the CCAvenue gateway to not include this security token when the visitor choses not to complete a CCAvenue transaction will need to be looked at.

However, a different or missing token when submitting a form will also regularly happen when the visitor moves back through the page history using the browser's Back button, and also when the visitor opens more than one CubeCart page in separate tabs or windows, then submits a form after having submitted a prior form. (The security token changes after every form submission.)

In cancelling an order, is this simply abandoning the visit to CCAvenue's web portal and returning to your store's home page? Or was the sequence of page requests other than that?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...