[30799] in bugtraq
Re: ZH2003-3SA (security advisory): Storefront sql injection:
daemon@ATHENA.MIT.EDU (Bob LaGarde)
Thu Jul 17 18:14:08 2003
Date: 17 Jul 2003 20:05:33 -0000
Message-ID: <20030717200533.937.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Bob LaGarde <b.lagarde@lagarde.com>
To: bugtraq@securityfocus.com
In-Reply-To: <20030712135646.21901.qmail@www.securityfocus.com>
This posting is completely false. Furthermore, the assertation in the
report that the vendor was notified is also false.
StoreFront 6.0 is a .NET application and contains no file named
login.asp. The previous version, StoreFront 5.0 was found to be subject
to the SQL Injection vulnerability in October of 2002. A patch was
released on October 17th 2002 in build 50.4014.
StoreFront Support
ZH2003-3SA (security advisory): Storefront sql injection: users info
>disclosure
>Published: 12/07/2003
>
>Released: 12/07/2003
>
>Name: Storefront sql injection: users info disclosure
>
>Affected Systems: StoreFront 6.0 (and older versions?)
>
>Issue: Remote attackers can obtain users info
>
>Author: G00db0y@zone-h.org
>
>Description
>
>***********
>
>Zone-h Security Team has discovered a serious security flaw in
StoreFront
>6.0
>(and older versions?). "Storefront offers merchants and developers a
>feature
>rich, fully customizable e-commerce solution at a fraction of the cost
to
>deploy
>and maintain."
>
>Solution:
>
>*********
>
>The vendor has been contacted and a patch is not yet produced
>
>
>G00db0y - www.zone-h.org admin
>
>Original advisory here: http://www.zone-h.org/en/advisories/read/id=2684/
>
