Bugtraq mailing list archives
Re: Another hole in Cart32
From: JKing () GFPGROUP COM (Justin King)
Date: Wed, 24 May 2000 16:35:42 -0400
It's not even that hard. Why make a long PHP script when one line of
JavaScript will do the same?
The makers of Cart32 should send an e-mail to all of their users warning
them that their installation is currently flawed, and stating that a new
release will be out shortly which implements real security. If they can't
take this step, they should be boycotted. If they state that their software
is secure, they should be sued for fraudulent advertising.
Enter the following into your location bar (modified to mesh with form of
course):
javascript:window.document.formname.itemprice.value="0.00";alert("Price now
$0.00");
-----Original Message-----
From: CDI [mailto:cdi () THEWEBMASTERS NET]
Sent: Tuesday, May 23, 2000 5:05 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: Another hole in Cart32
[snip]
Here - let's pull the security blanket off of Cart32 and show them the
cold, hard, facts of life.
This also shows that Cart32.com doesn't take it's own damn advice...
[snip]
Current thread:
- Re: Another hole in Cart32 sert sert (May 22)
- Qpopper 2.53 remote problem, user can gain gid=mail Prizm (May 23)
- Re: Qpopper 2.53 remote problem, user can gain gid=mail Jose Nazario (May 24)
- Re: Qpopper 2.53 remote problem, user can gain gid=mail Qpopper Support (May 24)
- Re: Qpopper 2.53 remote problem, user can gain gid=mail Sebastian (May 25)
- RFP2K05 - NetProwler "Fragmentation" Issue AXENT Security Team (May 23)
- Re: Another hole in Cart32 CDI (May 23)
- <Possible follow-ups>
- Re: Another hole in Cart32 Clover Andrew (May 23)
- Re: Another hole in Cart32 Justin King (May 24)
- Qpopper 2.53 remote problem, user can gain gid=mail Prizm (May 23)