Stupid e-commerce trick

Sep. 15th, 2004 09:00 pm
yesthattom: (Default)
[personal profile] yesthattom
When you unsubscribe from CompUSA.com’s junk mail, the web site generates this nice web page that says, “Status: You have been removed from the mailing list”. However, the message is part of the URL. Hmm... they wouldn’t be so stupid as to let people modify the URL to say anything they wanted, would they?

http://www.compusa.com/email/default.asp?status=I+can+make+this+web+site+say+anything&emaild=you%40nothing%2Ecom

Now children, please don’t open up a can of worms by doing something like this or even worse!

Keep it clean, kids!

  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2004-09-15 06:17 pm (UTC)
From: [identity profile] xforgottenx.livejournal.com
amazing...
how did you do that!?

Date: 2004-09-15 06:17 pm (UTC)
From: [identity profile] xforgottenx.livejournal.com
nevermind that, i know how you did it and how you figured it out but... wow...
you should send this to them and let them know what fucks they are...

Date: 2004-09-15 06:24 pm (UTC)
From: [identity profile] cpj.livejournal.com
I've seen the HTML injection, and the SQL injection; but I've never seen the plain text message injection (well, unless you count formmail.pl).

Date: 2004-09-15 06:34 pm (UTC)
From: [identity profile] rainbear.livejournal.com
I've seen the hot...

oh.. nevermind.. *must turn off evil thoughts... must... stop...* :)

*bites tongue* :)

Date: 2004-09-16 02:15 am (UTC)
jss: Me (bastardcard)
From: [personal profile] jss
Only "seen"?

Don't stop on our account....

Date: 2004-09-16 10:39 am (UTC)
From: [identity profile] rainbear.livejournal.com
*wink* Nice to see you haven't changed where it counts, jss ;) ;) ;) *HUGS* hehe

Date: 2004-09-16 12:19 pm (UTC)
jss: Me (bastardcard)
From: [personal profile] jss
O:-)

Date: 2004-09-16 04:28 pm (UTC)
From: [identity profile] cpj.livejournal.com
Is there a security advisory for this injection?

Date: 2004-09-17 12:53 am (UTC)
From: [identity profile] rainbear.livejournal.com
Yes.. (http://www.compusa.com/email/default.asp?status=Rubbers+Are+A+Necessity.&emaild=you%40nothing%2Ecom) ;-)

Date: 2004-09-15 06:31 pm (UTC)
From: [identity profile] mcl.livejournal.com
Oh. My.

That'd be...well....bad. Particularly if someone did, say, something like:

http://www.compusa.com/email/default.asp?status=<a+href="http://example.com/index.html">We're+idiots&emaild=you%40nothing%2Ecom


(yes, that works. Fear.)

Date: 2004-09-15 06:34 pm (UTC)
From: [identity profile] mcl.livejournal.com
We won't even discuss whether or not it'll allow forms, javascript, etc. But bad, bad, bad things come to mind. And with Unicode, you'd be even more likely to get someone to click on the URL you craft. With HTML-ized email, people'd never notice the badness you've put in.

Bad CompUSA. No biscuit.

Date: 2004-09-15 06:36 pm (UTC)
From: [identity profile] mcl.livejournal.com
Hm. Odd. When I posted that preformatted text, I had an anchor close after "idiots". Looks like LJ stripped it.

Either way, with the appropriate close tag, that works.

Date: 2004-09-15 06:37 pm (UTC)
From: [identity profile] rainbear.livejournal.com
Hehehehehehe.. cute :))

don't dare click here!!! (http://www.compusa.com/email/default.asp?status=We+don't+just+suck+...+we+SWALLOW!&emaild=you%40nothing%2Ecom)

Date: 2004-09-16 07:07 pm (UTC)
From: [identity profile] cloacabutt.livejournal.com
Oh my god. I'm basically no better than a trained monkey when it comes to web programming, and even I figured this out! Scary. Can we use this to topple Bush somehow? http://www.compusa.com/email/default.asp?status=Karen+is+a+Goddess&emaild=you%40nothing%2Ecom
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

yesthattom: (Default)
yesthattom
Tom's Homepage

December 2015

S M T W T F S
  12345
6789 101112
13141516171819
202122 23242526
2728293031  

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Jan. 11th, 2026 07:47 am
Powered by Dreamwidth Studios