Improper authentication checking in Alan Ward Acart

[<parag0d () phreaker net>]

Vulnerability:  Improper authentication checking for delete

Discussion:     Due to improper authentication checking a pop-up opened by any of the multiple XSS vulnerabilities by 
the admin of the site can cause a database compromise.

Exploit:        By using one of the multiple XSS vulnerabilities in this script, an attacker can cause the site 
administrator to open a new window and delete products or entire categories of products from the database.  The syntax 
is below:
        
www.example.com/acart2_0//admin/category.asp?catcode=1&stage=delete

Solution:       The developer needs to implement a new authentication mechanism for deletion of data.

Credit: CyberArmy Application and Code Auditing Team
        Parag0d

The developer was contacted regarding this matter, but never gave a reply.