Perl$hop E-Commerce Input Injection

`A while back I was playing around with Perl$hop, which if you are not  
aware, is an e-commerce script developed by Waverider Systems. XSS  
(Cross Site Scripting), Directory Traversal, Code Execution, and more!   
Wow, that sure is a lot of vulnerabilities for one product. It would  
seem as if the developers had little to no regard for web application  
security. Which, were this not a free product, I might comment further  
upon. As this is not the case, allow me to continue.  
  
One of the initial vulnerabilities I noticed when viewing the source  
code to a product page was the existence of a hidden input field named  
ITEM_PRICE. Now we simply download the source to the page, edit the  
hidden value of input field ITEM_PRICE to whatever we want, as an  
example value=?0.01?, and save. Reopen and purchase the item. The  
following checkout page will verify your success or lack thereof. So we  
can set our own price, fun stuff!  
  
Next we examine perlshop.cgi and notice that the script does not  
properly sanitize user input. After a little variable injection we find  
that the GET variable ?thispage? is vulnerable to a directory traversal  
and potential code execution depending on the environment. If you were  
hoping for an exploit example, here it is:  
  
http://target/cgi-bin/perlshop.cgi?ACTION=ENTER%20SHOP&thispage=../../../../../../../../etc/passwd&ORDER_ID=%21ORDERID%21&LANG=english&CUR=dollar  
  
And lastly, to save myself the trouble, I?ll just say that the GET  
variable CUR, thispage, LANG, and most likely others contain cross site  
scripting vulnerabilities. XSS vulnerabilities are not nearly as  
critical as the aforementioned directory traversal and code execution  
vulnerabilities though they should still be taken seriously as session  
fixation attempts could allow a hacker to hijack accounts.  
  
www.shadow.net   
  
  
`