Homebase website screw up.....

| 4 Comments

Hi, All :-)
Discovered yesterday 27-08-05

http://www.homebase.co.uk/webapp/wcs/stores/servlet/ProductDisplay?storeId=20001&langId=-1&productId=171745

[Local copy of the page for posterity: 49p TV rather than £249.99 ]

This brings up a nice cock up, a few friends have placed orders and have had them confirmed...the link now shows a generic error and that The store is currently experiencing problems. Try again later.

I have had it suggested that it might be prone to an Injected SQL attack....Hmmm possibly....

Yours
The Reverend Rat +:-)

The store is currently experiencing problems. Try again later.
Attribute Name Attribute Value
fileDir /wcsstore/homebase/
sdb com.ibm.commerce.common.beans.StoreDataBean@4935f6b7
storeId [Ljava.lang.String;@5cc2f6ab
javax.servlet.include.request_uri /webapp/wcs/stores/homebase/trolley/GenericError.jsp
com.ibm.servlet.engine.webapp.dispatch_type include
com.ibm.websphere.current_uri /webapp/wcs/stores/homebase/trolley/GenericError.jsp
orderId 97249236
com.ibm.websphere.olt.include.bool true
HomebaseMessages java.util.PropertyResourceBundle@4e41355e
bundleDir homebase
myAccountReturnURL [Ljava.lang.String;@82f568
checkFreeGift false
javax.servlet.include.context_path /webapp/wcs/stores
quantity [Ljava.lang.String;@5de7b6ab
trolleyOrderId 97249236
storeDir /homebase/
paletteDir /wcsstore/homebase/en_US/images/p2/
langId [Ljava.lang.String;@5cb7b6ab
catEntryId_0 [Ljava.lang.String;@5cec76ab
storeName homebase
returnURL [Ljava.lang.String;@5d8476ab
com.ibm.websphere.request_url http://www.homebase.co.uk/webapp/wcs/stores/servlet/OrderItemDisplay
y [Ljava.lang.String;@5c9176ab
CommandContext com.ibm.commerce.command.CommandContextImpl@5406f6ab
x [Ljava.lang.String;@5c9cb6ab
ResourceText java.util.PropertyResourceBundle@96c755d
trolleyItem com.ibm.commerce.order.beans.OrderItemDataBean@12e4f6b7
javax.servlet.jsp.jspException javax.servlet.ServletException
javax.servlet.jsp.jspException null
javax.servlet.jsp.jspException javax.servlet.ServletException at com.ibm.commerce.beans.DataBeanManager.activate(DataBeanManager.java(Compiled Code)) at homebase.trolley._trolleyList_jsp_9._jspService(_trolleyList_jsp_9.java(Compiled Code)) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at org.apache.jasper.runtime.JspServlet$JspServletWrapper.service(JspServlet.java(Compiled Code)) at org.apache.jasper.runtime.JspServlet.serviceJspFile(JspServlet.java(Compiled Code)) at org.apache.jasper.runtime.JspServlet.service(JspServlet.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at com.ibm.servlet.engine.webapp.StrictServletInstance.doService(ServletManager.java(Compiled Code)) at com.ibm.servlet.engine.webapp.StrictLifecycleServlet._service(StrictLifecycleServlet.java(Compiled Code)) at com.ibm.servlet.engine.webapp.IdleServletState.service(StrictLifecycleServlet.java(Compiled Code)) at com.ibm.servlet.engine.webapp.StrictLifecycleServlet.service(StrictLifecycleServlet.java(Inlined Compiled Code)) at com.ibm.servlet.engine.webapp.ServletInstance.service(ServletManager.java(Compiled Code)) at com.ibm.servlet.engine.webapp.ValidServletReferenceState.dispatch(ServletManager.java(Compiled Code)) at com.ibm.servlet.engine.webapp.ServletInstanceReference.dispatch(ServletManager.java(Inlined Compiled Code)) at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.handleWebAppDispatch(WebAppRequestDispatcher.java(Compiled Code)) at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java(Compiled Code)) at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java(Compiled Code)) at com.ibm.commerce.command.HttpForwardViewCommandImpl.forwardDocument(HttpForwardViewCommandImpl.java(Compiled Code)) at com.ibm.commerce.command.HttpForwardViewCommandImpl.performExecute(HttpForwardViewCommandImpl.java(Compiled Code)) at com.ibm.commerce.command.AbstractECCommand.execute(AbstractECCommand.java(Compiled Code)) at com.ibm.commerce.webcontroller.ViewCmdExecUnit.execute(ViewCmdExecUnit.java(Compiled Code)) at com.ibm.commerce.webcontroller.WebController.executeTransaction(WebController.java(Compiled Code)) at com.ibm.commerce.webcontroller.WebController.processRequest(WebController.java(Compiled Code)) at com.ibm.commerce.adapter.AbstractHttpAdapter.processRequest(AbstractHttpAdapter.java(Compiled Code)) at com.ibm.commerce.server.RequestServlet.service(RequestServlet.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at com.ibm.servlet.engine.webapp.StrictServletInstance.doService(ServletManager.java(Compiled Code)) at com.ibm.servlet.engine.webapp.StrictLifecycleServlet._service(StrictLifecycleServlet.java(Compiled Code)) at com.ibm.servlet.engine.webapp.ServicingServletState.service(StrictLifecycleServlet.java(Compiled Code)) at com.ibm.servlet.engine.webapp.StrictLifecycleServlet.service(StrictLifecycleServlet.java(Inlined Compiled Code)) at com.ibm.servlet.engine.webapp.ServletInstance.service(ServletManager.java(Compiled Code)) at com.ibm.servlet.engine.webapp.ValidServletReferenceState.dispatch(ServletManager.java(Compiled Code)) at com.ibm.servlet.engine.webapp.ServletInstanceReference.dispatch(ServletManager.java(Inlined Compiled Code)) at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.handleWebAppDispatch(WebAppRequestDispatcher.java(Compiled Code)) at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java(Compiled Code)) at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java(Compiled Code)) at com.ibm.servlet.engine.srt.WebAppInvoker.doForward(WebAppInvoker.java(Compiled Code)) at com.ibm.servlet.engine.srt.WebAppInvoker.handleInvocationHook(WebAppInvoker.java(Compiled Code)) at com.ibm.servlet.engine.invocation.CachedInvocation.handleInvocation(CachedInvocation.java(Compiled Code)) at com.ibm.servlet.engine.invocation.CacheableInvocationContext.invoke(CacheableInvocationContext.java(Compiled Code)) at com.ibm.servlet.engine.srp.ServletRequestProcessor.dispatchByURI(ServletRequestProcessor.java(Compiled Code)) at com.ibm.servlet.engine.oselistener.OSEListenerDispatcher.service(OSEListener.java(Compiled Code)) at com.ibm.servlet.engine.http11.HttpConnection.handleRequest(HttpConnection.java(Compiled Code)) at com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnection.java(Compiled Code)) at com.ibm.ws.http.HttpConnection.run(HttpConnection.java(Compiled Code)) at com.ibm.ws.util.CachedThread.run(ThreadPool.java(Compiled Code))
includeDir /homebase/include/
productId [Ljava.lang.String;@5ca5f6ab
trolleyItemNumber 0
javax.servlet.include.servlet_path /homebase/trolley/GenericError.jsp
RequestProperties returnURL = ProductDisplay orderId = 97249236 myAccountReturnURL = OrderItemDisplay quantity = 1 productId = 171745 langId = -1 docname = trolley/trolleyList.jsp checkFreeGift = false y = 9 x = 24 catEntryId_0 = 171745 storeId = 20001
com.ibm.websphere.olt.forward.request WCS Stores Request Servlet
CustomerMessages java.util.PropertyResourceBundle@197bb528
canDisableCheckboxes true

4 Comments

I would not trust my credit card to a system that displays errors like these to the internet at large.

Homebase should prove that they have conducted a thorough, independent security vulnerability analysis, not just of the IBM WebSphere Java software, but also of their management procedures, audit processes and staff training.

If they can get the displayed prices wrong, why should they be trusted to deduct the correct amount from your credit card transaction ?

Will this problem be fixed over a Bank Holiday weekend ? Unlikely.

Homebase should honour any transactions which have gone through forr "49p" television purchases.

The BBC are now reporting, that unsurprisingly, Homebase / Argos are refusing to supply YVs for 49p, given that about 10,000 people attempted to purchase one of these "bargains".

http://news.bbc.co.uk/1/hi/uk/4204002.stm

"Last Updated: Thursday, 1 September 2005, 09:53 GMT 10:53 UK

Argos apologises for 49p TV error

Thousands of internet shoppers who bought a television and DVD normally priced at £350 for 49p have been told the deal was too good to be true.

Argos and Homebase are refusing to honour the website deals apologising and saying the mistake in pricing was down to a "genuine internal error".

About 10,000 customers had bought the 28" TV and DVD over the Bank Holiday.

A consumer expert told the BBC the transactions would be void because both parties would know this was a mistake.

Thousands of customers who bought the Bush television and DVD package over the Bank Holiday weekend had money taken from their account.

Radio Five Live quoted the example of one student who bought 80 sets at the bargain price.

But the company Argos Retail Group has now rescinded all the orders and is giving refunds.

Contract void

It said this was down to a mistake "while keying in prices".

"As soon as we wre made aware of the problem, we took steps to make the product unavailable for purchase", it said in a statement.

It apologised to all its customers saying it would not be able to fulfil the orders.

"We pride ourselves on providing our customers with some great value deals and we can understand why some customers thought this was too good an opportunity to miss - unfortunately on this occasion it really was an offer too good to be true."

Consumer expert Jonathan Woodroffe, of the solicitors Ashley Wilson, said: "The contract is void. If the deal is too good to be true, it is."

He told the BBC it would have been different had it been a £20 DVD on sale for 49p or the first 10 or five sets had been on sale at the low price as a loss leader.

"It comes down to whether a reasonable person would think it was a joke and they would," he said. "


How much is a several minute slot on BBC news, The Sun and all the other media coverage worth to Argos/Homebase as free advertising ?

"I have had it suggested that it might be prone to an Injected SQL attack"

Not by anyone who knows anything about SQL injection...

dont forget that just doing this can land you in court and charged with section 1 and section 3 of the computer misuse act

Oh and just visiting the above link could also do the same as Argos can claim it was unauthorised

:)

About this Entry

This page contains a single entry by The Reverend Rat published on August 28, 2005 9:12 PM.

London 2600 5th August meeting report was the previous entry in this blog.

Paras in Soho, plus a few other bits. is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.