Developerstore.com expose critical customer info

From: c c (cesarc56@yahoo.com)
Date: 01/10/02


Date: Thu, 10 Jan 2002 08:06:18 -0800 (PST)
From: c c <cesarc56@yahoo.com>
To: vuln-dev@securityfocus.com

Hi all.
The Microsoft Site: Developerstrore.com , a source for
ordering free developer product betas, evaluation
kits, and other development resources from Microsoft.
For students and faculty, the Academic Developer Store
is the source for all Microsoft developer products at
discounted Academic prices.
This site allow to anybody to view critical customer
information, this happen because it's doesn't check
user inputs, allowing sql inyection like :
 

http://developerstore.com/devstore/productSearch.asp?searchText=|')%20union%20all%20select%201,name%20from%20sysobjects%20where%20type='U'--

this is one of many huge holes, i'm not going to
enumerate every one, i don't work for microsoft :). I
just want to tell everyone this very strange situation
:).

I don't know when they gonna fix it, so don't put your
personal info there until they fix it and i you alredy
do it humm... it's your problem :).

Hey, Microsoft people, why don't you test your
webapps? you can use WebSleuth
http://www.owasp.org/resources/tools/websleuth/index.shtml
it's free, you have to expend only time!!!.

Microsoft was contacted.

Cesar Cerrudo.
Parana, Entre Rios.
Argentina.

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/