| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030717200533.937.qmail@www.securityfocus.com>
Date: 17 Jul 2003 20:05:33 -0000
From: Bob LaGarde <b.lagarde@...arde.com>
To: bugtraq@...urityfocus.com
Subject: Re: ZH2003-3SA (security advisory): Storefront sql injection:
users info disclosure
In-Reply-To: <20030712135646.21901.qmail@....securityfocus.com>
This posting is completely false. Furthermore, the assertation in the
report that the vendor was notified is also false.
StoreFront 6.0 is a .NET application and contains no file named
login.asp. The previous version, StoreFront 5.0 was found to be subject
to the SQL Injection vulnerability in October of 2002. A patch was
released on October 17th 2002 in build 50.4014.
StoreFront Support
ZH2003-3SA (security advisory): Storefront sql injection: users info
>disclosure
>Published: 12/07/2003
>
>Released: 12/07/2003
>
>Name: Storefront sql injection: users info disclosure
>
>Affected Systems: StoreFront 6.0 (and older versions?)
>
>Issue: Remote attackers can obtain users info
>
>Author: G00db0y@...e-h.org
>
>Description
>
>***********
>
>Zone-h Security Team has discovered a serious security flaw in
StoreFront
>6.0
>(and older versions?). "Storefront offers merchants and developers a
>feature
>rich, fully customizable e-commerce solution at a fraction of the cost
to
>deploy
>and maintain."
>
>Solution:
>
>*********
>
>The vendor has been contacted and a patch is not yet produced
>
>
>G00db0y - www.zone-h.org admin
>
>Original advisory here: http://www.zone-h.org/en/advisories/read/id=2684/
>
Powered by blists - more mailing lists