Vulnerability Development mailing list archives
Developerstore.com expose critical customer info
From: c c <cesarc56 () yahoo com>
Date: Thu, 10 Jan 2002 08:06:18 -0800 (PST)
Hi all. The Microsoft Site: Developerstrore.com , a source for ordering free developer product betas, evaluation kits, and other development resources from Microsoft. For students and faculty, the Academic Developer Store is the source for all Microsoft developer products at discounted Academic prices. This site allow to anybody to view critical customer information, this happen because it's doesn't check user inputs, allowing sql inyection like : http://developerstore.com/devstore/productSearch.asp?searchText=|')%20union%20all%20select%201,name%20from%20sysobjects%20where%20type='U'-- this is one of many huge holes, i'm not going to enumerate every one, i don't work for microsoft :). I just want to tell everyone this very strange situation :). I don't know when they gonna fix it, so don't put your personal info there until they fix it and i you alredy do it humm... it's your problem :). Hey, Microsoft people, why don't you test your webapps? you can use WebSleuth http://www.owasp.org/resources/tools/websleuth/index.shtml it's free, you have to expend only time!!!. Microsoft was contacted. Cesar Cerrudo. Parana, Entre Rios. Argentina. __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
Current thread:
- Developerstore.com expose critical customer info c c (Jan 11)
- <Possible follow-ups>
- RE: Developerstore.com expose critical customer info Blue Boar (Jan 11)
- RE: Developerstore.com expose critical customer info sq (Jan 11)
- Re: Developerstore.com expose critical customer info Blue Boar (Jan 11)
- Re: Developerstore.com expose critical customer info c c (Jan 12)
- Re: Developerstore.com expose critical customer info Jeremiah Grossman (Jan 12)
- Re: Developerstore.com expose critical customer info shawn merdinger (Jan 13)
- RE: Developerstore.com expose critical customer info Mark Curphey (Jan 13)
- Re: Developerstore.com expose critical customer info Jeremiah Grossman (Jan 12)