, Newsbytes 2002-01-11
Microsoft Developer Store shuttered following database gaffe.An online store operated by Microsoft Corp. [NASDAQ: MSFT] for software developers was unavailable today following reports that a security flaw gave visitors the ability to take control of the site, including access of customer data.
The Microsoft Developer Store, located at http://developerstore.com , used an insecure script to enable users to search for products in a Microsoft SQL database, according to an advisory posted today by an Argentinean security researcher to an online security mailing list.
As a result of the vulnerability, malicious users could have caused the Microsoft server to execute any command, according to the message posted to Vuln-Dev by Cesar Cerrudo.
"This is the classic .ASP, server-side, I-left-my-SQL-server-exposed mistake," said Blue Boar, the moderator of the Vuln-Dev list, which is hosted by SecurityFocus, a security information and consulting firm.
After receiving Cerrudo's submission to the list Thursday, Blue Boar said he confirmed the vulnerability but withheld immediate posting of the message to the list's 14,000 readers. Instead, he forwarded a copy of the advisory to Microsoft's security team.
A Microsoft spokesperson told Newsbytes the company had no immediate comment on the incident.
Visitors to the Microsoft Developer Store site this afternoon were greeted with the following message: "This site is temporarily down for maintenance, please check back later."
The Microsoft Developer Store is used by software professionals to order development tools and other resources. A special section for academics provides Microsoft products at reduced prices.
According to Internet registration data, the Microsoft store is hosted by Saltmine Creative, Inc., a Seattle e-commerce service provider.
Blue Boar said he allowed Cerrudo's message to be distributed to list members this afternoon only after he received a note from Microsoft acknowledging the flaw and after he noted that the company had removed the insecure product search option Thursday evening.
"I'll probably take some heat for being a censor, but there are a handful of people on the list who would have pounced on the information and used it for bad purposes," said Blue Boar.
However, Cerrudo's message managed to leak through to Webappsec, another SecurityFocus list for Web application security discussions, early Thursday.
"There may have been a ten- or twelve-hour window during which some people knew about this hole and it was still exploitable, but only Microsoft knows whether anybody took advantage of it," said Blue Boar, who noted that the vulnerability could have enabled a malicious person to access customer order data.
Cerrudo's message included a suggestion that Microsoft test its Web applications using a service called WebSleuth.
"It's free, you have to expend only time," wrote Cerrudo.
The Microsoft Developer Store is at http://developerstore.com .
SaltMine is at http://www.saltmine.com .
The advisory posted to Vuln-Dev is at http://www.securityfocus.com/archive/82/249702 .
WebSleuth is online at http://www.owasp.org/resources/tools/websleuth/index.shtml .
Reported by Newsbytes, http://www.newsbytes.com .