Business::OnlinePayment::StoredTransaction Insecure Secret Key Vulnerability
Vulnerability
A vulnerability exists in Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl, due to the use of an insecure method for generating secret keys. The module creates a secret key by applying an MD5 hash to a single call of the built-in rand function, which is not suitable for cryptographic purposes. This key is intended for encrypting credit card transaction data.
Impact
The vulnerability allows for the generation of weak secret keys, which can compromise the encryption of sensitive credit card information, potentially leading to unauthorized access or exposure of this data.
Reproduction
To reproduce this vulnerability, use Business::OnlinePayment::StoredTransaction version 0.01 or earlier. The secret key can be observed by calling the 'submit' method after setting the 'password' field with an RSA public key. The key generation process can be verified by checking the randomness and strength of the key, which will be found to be inadequate for secure encryption.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.