(InternetNews, 13 April) The developer of a highly-rated e-commerce shopping cart is accused of building a software backdoor into the program that could give him or hackers complete control of the server on which it's installed. The Dansie Shopping Cart, which is currently in use at more than 200 e-commerce sites and is recommended by several Web hosting firms, contains code that enables the author, Craig Dansie, to potentially run any command on the Web server. Dansie reportedly built a subroutine into the cart which enables him to use a nine-character form element or password to remotely execute commands on the server using the broad security privileges usually assigned to CGI scripts. But because the password is the same for every installation of the cart, and because the script must be installed with world-readable permission, anybody who has access to a server on which the cart is installed could retrieve the source code and the form element and use it to control other servers. IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages. Get your FREE, totally secure email address at http://www.hushmail.com.
