ZH2003-3SA (security advisory): Storefront sql injection: users info 

disclosure

Published: 12/07/2003



Released: 12/07/2003



Name: Storefront sql injection: users info disclosure



Affected Systems: StoreFront 6.0 (and older versions?)



Issue: Remote attackers can obtain users info



Author: G00db0y@zone-h.org



Description



***********



Zone-h Security Team has discovered a serious security flaw in StoreFront 

6.0 

(and older versions?). "Storefront offers merchants and developers a 

feature 

rich, fully customizable e-commerce solution at a fraction of the cost to 

deploy 

and maintain."



Details



*******



Storefront is an ASP shopping cart / storefront system that covers all 

the 

needs for ecommerce web sites. 



It's possible to retrieve sensible users information. There is a sql 

injection vulnerability in /login.asp of StoreFront system. It's possible

to login with this email id and password:

' or 'a'='a



to have then access to the first user in database structure. If an 

attacker 

knew any email address of a registered user, it'll be possible for him to 

retrieve

the  registered uses's information from this login page. 



Example: 



Email of registered user: example@example.com



Email id (user in the login.asp): example@example.com

Password: ' or 'a'='a





Solution:



*********



The vendor has been contacted and a patch is not yet produced





Suggestions:



************



Nothing



G00db0y - www.zone-h.org admin



Original advisory here: http://www.zone-h.org/en/advisories/read/id=2684/