BugTraq
Back to list
|
Post reply
Re: ZH2003-3SA (security advisory): Storefront sql injection: users info disclosure
Jul 17 2003 08:05PM
Bob LaGarde (b lagarde lagarde com)
In-Reply-To: <20030712135646.21901.qmail (at) www.securityfocus (dot) com [email concealed]>
This posting is completely false. Furthermore, the assertation in the
report that the vendor was notified is also false.
StoreFront 6.0 is a .NET application and contains no file named
login.asp. The previous version, StoreFront 5.0 was found to be subject
to the SQL Injection vulnerability in October of 2002. A patch was
released on October 17th 2002 in build 50.4014.
StoreFront Support
ZH2003-3SA (security advisory): Storefront sql injection: users info
>disclosure
>Published: 12/07/2003
>
>Released: 12/07/2003
>
>Name: Storefront sql injection: users info disclosure
>
>Affected Systems: StoreFront 6.0 (and older versions?)
>
>Issue: Remote attackers can obtain users info
>
>Author: G00db0y (at) zone-h (dot) org [email concealed]
>
>Description
>
>***********
>
>Zone-h Security Team has discovered a serious security flaw in
StoreFront
>6.0
>(and older versions?). "Storefront offers merchants and developers a
>feature
>rich, fully customizable e-commerce solution at a fraction of the cost
to
>deploy
>and maintain."
>
>Solution:
>
>*********
>
>The vendor has been contacted and a patch is not yet produced
>
>
>G00db0y - www.zone-h.org admin
>
>Original advisory here: http://www.zone-h.org/en/advisories/read/id=2684/
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
This posting is completely false. Furthermore, the assertation in the
report that the vendor was notified is also false.
StoreFront 6.0 is a .NET application and contains no file named
login.asp. The previous version, StoreFront 5.0 was found to be subject
to the SQL Injection vulnerability in October of 2002. A patch was
released on October 17th 2002 in build 50.4014.
StoreFront Support
ZH2003-3SA (security advisory): Storefront sql injection: users info
>disclosure
>Published: 12/07/2003
>
>Released: 12/07/2003
>
>Name: Storefront sql injection: users info disclosure
>
>Affected Systems: StoreFront 6.0 (and older versions?)
>
>Issue: Remote attackers can obtain users info
>
>Author: G00db0y (at) zone-h (dot) org [email concealed]
>
>Description
>
>***********
>
>Zone-h Security Team has discovered a serious security flaw in
StoreFront
>6.0
>(and older versions?). "Storefront offers merchants and developers a
>feature
>rich, fully customizable e-commerce solution at a fraction of the cost
to
>deploy
>and maintain."
>
>Solution:
>
>*********
>
>The vendor has been contacted and a patch is not yet produced
>
>
>G00db0y - www.zone-h.org admin
>
>Original advisory here: http://www.zone-h.org/en/advisories/read/id=2684/
>
[ reply ]