ZH2003-3SA (security advisory): Storefront sql injection: users info disclosure Published: 12/07/2003 Released: 12/07/2003 Name: Storefront sql injection: users info disclosure Affected Systems: StoreFront 6.0 (and older versions?) Issue: Remote attackers can obtain users info Author: G00db0y@zone-h.org Description *********** Zone-h Security Team has discovered a serious security flaw in StoreFront 6.0 (and older versions?). "Storefront offers merchants and developers a feature rich, fully customizable e-commerce solution at a fraction of the cost to deploy and maintain." Details ******* Storefront is an ASP shopping cart / storefront system that covers all the needs for ecommerce web sites. It's possible to retrieve sensible users information. There is a sql injection vulnerability in /login.asp of StoreFront system. It's possible to login with this email id and password: ' or 'a'='a to have then access to the first user in database structure. If an attacker knew any email address of a registered user, it'll be possible for him to retrieve the registered uses's information from this login page. Example: Email of registered user: example@example.com Email id (user in the login.asp): example@example.com Password: ' or 'a'='a Solution: ********* The vendor has been contacted and a patch is not yet produced Suggestions: ************ Nothing G00db0y - www.zone-h.org admin Original advisory here: http://www.zone-h.org/en/advisories/read/id=2684/
