Vendor: CyberSource Version: Business Center, Essentials/Small Business, https://businesscenter.cybersource.com/ Severity: Vulnerability allows malicious employees or comprimised accounts to steal money. Vendor Status: Notified, but expects to fix issue some time in 2006. Overview: Business Center is the web application used by merchants to authorize, capture, and refund Credit Card transactions. This application has the ability for merchants to define user accounts that are given limited privileges on what operations they can perform on a transaction. There does not appear to be validation on user-controlled input as found by the two ways to bypass user privilege restrictions. Unfortunately it was found that through simple URL manipulation it is possible to bypass these security restrictions to allow a user to create new transactions and search for and view previous transactions. The latter would allow an untrusted user to view customer information. Issuing new Credit transactions and capturing (moving customer money to merchant account) can be done by creating a local copy of web pages from the site and modifying the HTML