[14547] in bugtraq
Re: more problems with that POS dansie cart software!
daemon@ATHENA.MIT.EDU (Randy Janinda)
Mon Apr 17 17:10:40 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000414124133.F24372@lnx1.ndcorp.com>
Date: Fri, 14 Apr 2000 12:41:33 -0400
Reply-To: Randy Janinda <randy.janinda@NDCORP.COM>
From: Randy Janinda <randy.janinda@NDCORP.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.05.10004141056510.8165-100000@los-angeles.mtvnodn.com>
On Fri, Apr 14, 2000 at 11:09:47AM -0400, tombow decided:
> if installing a backdoor in the cart software wasn't bad enough.. the
> whole implimentation of pricing and adding items to cart is crap..
>
> example form to add items to your cart (kindly provided on the publishers
> site using the demo cart they set up for us):
>
> *snip*
>
> I am aware this was posted a few months ago but I don't recall anyone
> posting in relation to this particular software package..
>
> tom
I too have looked at the software and would like to add my findings:
There are numerous variables you can add to the URL to retrieve interesting
information:
(http://www.domain.com/cgi-bin/cart.pl?xxx) where xxx =
vars - will give you the setup variables for the software, an interesting thing
to note is about 3/4 down the page is a login ID and security (password) for CC
transactions?
env - lists environment variables
and my personal favorite
db - Let me explain this one a bit
this works differently on the numberous versions. So do a 'vars' and look for a
string called "query_separator" (usually a | or =). Then do this
site.com/path-to/cart.pl?db|filename|All%20Items (i.e
http://www.target.com/cgi-bin/cart.pl?db|cart.pl|All%20Items)
This will open the file for reading.. I haven't got it to successfully open
things in "recursive" paths (i.e ../../../etc/passwd), but it does seem to
indicate if a certain file exists of not.
Also of note:
the All%20Items part can be substituted by your favorite HTML tags, to create a
custom viewing experience ;)
Have fun.
--
Randy Janinda
