Subject: Quorn Web site errors
Date: Fri, 7 Mar 2008

Hello.

The Quorn.us site seems rather carelessly programmed.

On the Healthy Eating page that calculates body mass index,
typing non-numeric text into the weight and height fields
will crash the script, because it doesn't validate that they
are actually numbers.

Unrelatedly, the cmpage.aspx script crashes if you supply
a non-existent page name, e.g.
http://www.quorn.us//cmpage.aspx?section=X

Look at how the error stack trace provides details of the
hard disk structure (c:\mesmerize etc.) and how it actually
fails while trying to perform an illegal database operation
-- again not having validated the inputs before it tries to
modify the database. This is dangerously close to the kind
of error that permits "SQL injection" attacks, where a
malicious hacker can run his own code against the database --
deleting all of the data, for instance.

I'd strongly suggest that you get your IT department to
review the security of all your Web scripts!