In-Reply-To: <20030712135646.21901.qmail@www.securityfocus.com> This posting is completely false. Furthermore, the assertation in the report that the vendor was notified is also false. StoreFront 6.0 is a .NET application and contains no file named login.asp. The previous version, StoreFront 5.0 was found to be subject to the SQL Injection vulnerability in October of 2002. A patch was released on October 17th 2002 in build 50.4014. StoreFront Support ZH2003-3SA (security advisory): Storefront sql injection: users info >disclosure >Published: 12/07/2003 > >Released: 12/07/2003 > >Name: Storefront sql injection: users info disclosure > >Affected Systems: StoreFront 6.0 (and older versions?) > >Issue: Remote attackers can obtain users info > >Author: G00db0y@zone-h.org > >Description > >*********** > >Zone-h Security Team has discovered a serious security flaw in StoreFront >6.0 >(and older versions?). "Storefront offers merchants and developers a >feature >rich, fully customizable e-commerce solution at a fraction of the cost to >deploy >and maintain." > >Solution: > >********* > >The vendor has been contacted and a patch is not yet produced > > >G00db0y - www.zone-h.org admin > >Original advisory here: http://www.zone-h.org/en/advisories/read/id=2684/ >
