Homebase website screw up.....

By
The Reverend Rat
on August 28, 2005 9:12 PM | | Comments (4)

Hi, All :-)
Discovered yesterday 27-08-05

http://www.homebase.co.uk/webapp/wcs/stores/servlet/ProductDisplay?storeId=20001&langId=-1&productId=171745

[Local copy of the page for posterity: 49p TV rather than £249.99 ]

This brings up a nice cock up, a few friends have placed orders and have had them confirmed...the link now shows a generic error and that The store is currently experiencing problems. Try again later.

I have had it suggested that it might be prone to an Injected SQL attack....Hmmm possibly....

Yours
The Reverend Rat +:-)

The store is currently experiencing problems. Try again later.
Attribute Name Attribute Value
fileDir /wcsstore/homebase/
sdb com.ibm.commerce.common.beans.StoreDataBean@4935f6b7
storeId [Ljava.lang.String;@5cc2f6ab
javax.servlet.include.request_uri /webapp/wcs/stores/homebase/trolley/GenericError.jsp
com.ibm.servlet.engine.webapp.dispatch_type include
com.ibm.websphere.current_uri /webapp/wcs/stores/homebase/trolley/GenericError.jsp
orderId 97249236
com.ibm.websphere.olt.include.bool true
HomebaseMessages java.util.PropertyResourceBundle@4e41355e
bundleDir homebase
myAccountReturnURL [Ljava.lang.String;@82f568
checkFreeGift false
javax.servlet.include.context_path /webapp/wcs/stores
quantity [Ljava.lang.String;@5de7b6ab
trolleyOrderId 97249236
storeDir /homebase/
paletteDir /wcsstore/homebase/en_US/images/p2/
langId [Ljava.lang.String;@5cb7b6ab
catEntryId_0 [Ljava.lang.String;@5cec76ab
storeName homebase
returnURL [Ljava.lang.String;@5d8476ab
com.ibm.websphere.request_url http://www.homebase.co.uk/webapp/wcs/stores/servlet/OrderItemDisplay
y [Ljava.lang.String;@5c9176ab
CommandContext com.ibm.commerce.command.CommandContextImpl@5406f6ab
x [Ljava.lang.String;@5c9cb6ab
ResourceText java.util.PropertyResourceBundle@96c755d
trolleyItem com.ibm.commerce.order.beans.OrderItemDataBean@12e4f6b7
javax.servlet.jsp.jspException javax.servlet.ServletException
javax.servlet.jsp.jspException null
javax.servlet.jsp.jspException javax.servlet.ServletException at com.ibm.commerce.beans.DataBeanManager.activate(DataBeanManager.java(Compiled Code)) at homebase.trolley._trolleyList_jsp_9._jspService(_trolleyList_jsp_9.java(Compiled Code)) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at org.apache.jasper.runtime.JspServlet$JspServletWrapper.service(JspServlet.java(Compiled Code)) at org.apache.jasper.runtime.JspServlet.serviceJspFile(JspServlet.java(Compiled Code)) at org.apache.jasper.runtime.JspServlet.service(JspServlet.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at com.ibm.servlet.engine.webapp.StrictServletInstance.doService(ServletManager.java(Compiled Code)) at com.ibm.servlet.engine.webapp.StrictLifecycleServlet._service(StrictLifecycleServlet.java(Compiled Code)) at com.ibm.servlet.engine.webapp.IdleServletState.service(StrictLifecycleServlet.java(Compiled Code)) at com.ibm.servlet.engine.webapp.StrictLifecycleServlet.service(StrictLifecycleServlet.java(Inlined Compiled Code)) at com.ibm.servlet.engine.webapp.ServletInstance.service(ServletManager.java(Compiled Code)) at com.ibm.servlet.engine.webapp.ValidServletReferenceState.dispatch(ServletManager.java(Compiled Code)) at com.ibm.servlet.engine.webapp.ServletInstanceReference.dispatch(ServletManager.java(Inlined Compiled Code)) at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.handleWebAppDispatch(WebAppRequestDispatcher.java(Compiled Code)) at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java(Compiled Code)) at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java(Compiled Code)) at com.ibm.commerce.command.HttpForwardViewCommandImpl.forwardDocument(HttpForwardViewCommandImpl.java(Compiled Code)) at com.ibm.commerce.command.HttpForwardViewCommandImpl.performExecute(HttpForwardViewCommandImpl.java(Compiled Code)) at com.ibm.commerce.command.AbstractECCommand.execute(AbstractECCommand.java(Compiled Code)) at com.ibm.commerce.webcontroller.ViewCmdExecUnit.execute(ViewCmdExecUnit.java(Compiled Code)) at com.ibm.commerce.webcontroller.WebController.executeTransaction(WebController.java(Compiled Code)) at com.ibm.commerce.webcontroller.WebController.processRequest(WebController.java(Compiled Code)) at com.ibm.commerce.adapter.AbstractHttpAdapter.processRequest(AbstractHttpAdapter.java(Compiled Code)) at com.ibm.commerce.server.RequestServlet.service(RequestServlet.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at com.ibm.servlet.engine.webapp.StrictServletInstance.doService(ServletManager.java(Compiled Code)) at com.ibm.servlet.engine.webapp.StrictLifecycleServlet._service(StrictLifecycleServlet.java(Compiled Code)) at com.ibm.servlet.engine.webapp.ServicingServletState.service(StrictLifecycleServlet.java(Compiled Code)) at com.ibm.servlet.engine.webapp.StrictLifecycleServlet.service(StrictLifecycleServlet.java(Inlined Compiled Code)) at com.ibm.servlet.engine.webapp.ServletInstance.service(ServletManager.java(Compiled Code)) at com.ibm.servlet.engine.webapp.ValidServletReferenceState.dispatch(ServletManager.java(Compiled Code)) at com.ibm.servlet.engine.webapp.ServletInstanceReference.dispatch(ServletManager.java(Inlined Compiled Code)) at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.handleWebAppDispatch(WebAppRequestDispatcher.java(Compiled Code)) at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java(Compiled Code)) at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java(Compiled Code)) at com.ibm.servlet.engine.srt.WebAppInvoker.doForward(WebAppInvoker.java(Compiled Code)) at com.ibm.servlet.engine.srt.WebAppInvoker.handleInvocationHook(WebAppInvoker.java(Compiled Code)) at com.ibm.servlet.engine.invocation.CachedInvocation.handleInvocation(CachedInvocation.java(Compiled Code)) at com.ibm.servlet.engine.invocation.CacheableInvocationContext.invoke(CacheableInvocationContext.java(Compiled Code)) at com.ibm.servlet.engine.srp.ServletRequestProcessor.dispatchByURI(ServletRequestProcessor.java(Compiled Code)) at com.ibm.servlet.engine.oselistener.OSEListenerDispatcher.service(OSEListener.java(Compiled Code)) at com.ibm.servlet.engine.http11.HttpConnection.handleRequest(HttpConnection.java(Compiled Code)) at com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnection.java(Compiled Code)) at com.ibm.ws.http.HttpConnection.run(HttpConnection.java(Compiled Code)) at com.ibm.ws.util.CachedThread.run(ThreadPool.java(Compiled Code))
includeDir /homebase/include/
productId [Ljava.lang.String;@5ca5f6ab
trolleyItemNumber 0
javax.servlet.include.servlet_path /homebase/trolley/GenericError.jsp
RequestProperties returnURL = ProductDisplay orderId = 97249236 myAccountReturnURL = OrderItemDisplay quantity = 1 productId = 171745 langId = -1 docname = trolley/trolleyList.jsp checkFreeGift = false y = 9 x = 24 catEntryId_0 = 171745 storeId = 20001
com.ibm.websphere.olt.forward.request WCS Stores Request Servlet
CustomerMessages java.util.PropertyResourceBundle@197bb528
canDisableCheckboxes true

Categories:

       +
     -   -
    ( )_( )
     (0 0)
      \  /
     >V<

4 Comments

By wtwu on August 28, 2005 10:41 PM

I would not trust my credit card to a system that displays errors like these to the internet at large.

Homebase should prove that they have conducted a thorough, independent security vulnerability analysis, not just of the IBM WebSphere Java software, but also of their management procedures, audit processes and staff training.

If they can get the displayed prices wrong, why should they be trusted to deduct the correct amount from your credit card transaction ?

Will this problem be fixed over a Bank Holiday weekend ? Unlikely.

Homebase should honour any transactions which have gone through forr "49p" television purchases.

By wtwu on September 1, 2005 1:44 PM

The BBC are now reporting, that unsurprisingly, Homebase / Argos are refusing to supply YVs for 49p, given that about 10,000 people attempted to purchase one of these "bargains".

http://news.bbc.co.uk/1/hi/uk/4204002.stm

"Last Updated: Thursday, 1 September 2005, 09:53 GMT 10:53 UK

Argos apologises for 49p TV error

Thousands of internet shoppers who bought a television and DVD normally priced at £350 for 49p have been told the deal was too good to be true.

Argos and Homebase are refusing to honour the website deals apologising and saying the mistake in pricing was down to a "genuine internal error".

About 10,000 customers had bought the 28" TV and DVD over the Bank Holiday.

A consumer expert told the BBC the transactions would be void because both parties would know this was a mistake.

Thousands of customers who bought the Bush television and DVD package over the Bank Holiday weekend had money taken from their account.

Radio Five Live quoted the example of one student who bought 80 sets at the bargain price.

But the company Argos Retail Group has now rescinded all the orders and is giving refunds.

Contract void

It said this was down to a mistake "while keying in prices".

"As soon as we wre made aware of the problem, we took steps to make the product unavailable for purchase", it said in a statement.

It apologised to all its customers saying it would not be able to fulfil the orders.

"We pride ourselves on providing our customers with some great value deals and we can understand why some customers thought this was too good an opportunity to miss - unfortunately on this occasion it really was an offer too good to be true."

Consumer expert Jonathan Woodroffe, of the solicitors Ashley Wilson, said: "The contract is void. If the deal is too good to be true, it is."

He told the BBC it would have been different had it been a £20 DVD on sale for 49p or the first 10 or five sets had been on sale at the low price as a loss leader.

"It comes down to whether a reasonable person would think it was a joke and they would," he said. "


How much is a several minute slot on BBC news, The Sun and all the other media coverage worth to Argos/Homebase as free advertising ?

By foo on September 16, 2005 1:45 PM

"I have had it suggested that it might be prone to an Injected SQL attack"

Not by anyone who knows anything about SQL injection...

By Daniel on May 9, 2006 4:26 PM

dont forget that just doing this can land you in court and charged with section 1 and section 3 of the computer misuse act

Oh and just visiting the above link could also do the same as Argos can claim it was unauthorised

:)

Leave a comment

About this blog

The Reverend Rat writes about London street life and technology

Email Contact

N.B. the new email address:

reverendrat @hushmail.com

Biography

Biographical details about The Reverend Rat.

Links

Rat's Blog
Search for "Reverend Rat" in Google
Rat's Nest photo gallery
London 2600
Birmingham 2600
alt.ph.uk Usenet newgroup
alt.ph.uk FAQ

Watching Them, Watching Us
Spy Blog
Duncan in Tanzania and London
O_P from Australia
Dr. K's blog - Hacker, Author, Musician, Philosopher
Hacker Voice Radio

bOINGbOING
Need To Know
The Register

War Chalking
NetStumbler
Bluetooth Phone security problems
trifinite.org international group of BlueTooth security experts

Identity Theft Spy blog

Deckspace Arts and Media centre in Greenwich
R0gue

Banksy London street artist
The Policeman's Blog

Reclaim The Beach Thames beach parties - new blog style website
Reclaim The Beach Thames beach parties - old website
Spacehijackers London Tube parties & subversive artistic events

Radio Jackie former Pirate Radio station now legit in SW London
Resonance FM 104.4 community and arts Radio station in central London and on the internet

NO2ID - umbrella group organising opposition to the Government's compulsory biometric centralised population register database and ID Card.

NO2ID online Pledge "I will refuse to register for an ID card and will donate £10 to a legal defence fund but only if 10,000 other people will also make this same pledge."

Save China Town ! - campaign to save London's traditional China Town from rapacious property developers.

Free Gary McKinnon - Londoner facing extradition to the USA for "hacking" over 90 US Military computer systems.

Neal Stephenson cyberpunk author

William Gibson cyberpunk author

William Gibson links

William Gibson cyberpunk author

Hacking the Gibson in London! discussion thread on the William Gibson Board

Personal thanks from William Gibson on his blog for the "Secure Beneath The Watchful Eyes" poster

Campaign Button Links

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.
Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court.

Try him in the UK, under UK law.

>NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card
NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card and National Identity Register centralised database.

Peaceful resistance to the curtailment of our rights to Free Assembly and Free Speech in the SOCPA Designated Area around Parliament Square and beyond

Parliament Protest blog - resistance to the Designated Area resticting peaceful demonstrations in the vicinity of Parliament..

Syndicate this site (XML):

Search

Recent Comments

Popular Photos

Bimbo-1.jpg - unexpectedly popular in Norway

One of the top Google Image searches for "Bimbo" - unexpectedly popular in Norway

buster_gonads.jpg - Buster Gonads

- Buster Gonads and his infeasibly large...

Phoenix_Nun.jpg - another convert for The Reverend Rat

- another convert for The Reverend Rat

Categories

Monthly Archives

Tag Cloud