StoreFront Ecommerce News for FrontPage & Dreamweaver
Press CTRL+D to Bookmark StoreFrontGoodies.com
Click Here to sign up for our Monthly Newsletter.

| Home | New Forum! | StoreFront 6 | StoreFront 6 Add Ons | Search Engine Optimization | Essential Tools | StoreFront 5 | StoreFront 2000 | SFG Partners | Participate | Suggestion Box | Security |

home > storefront 2000 > storefront 2000 knowledge base

| StoreFront 2000 Knowledge Base |


Fixing the Data Protection Issue in StoreFront 2000
 

Posted Friday, April 23, 2004

A data protection risk was recently discovered in StoreFront 2000, affecting all versions prior to 4.04.4. (Service Pack 12). The issue affects the protection of data stored in your StoreFront web store’s database, allowing a malicious query to be executed through the browser. This issue can allow for data to be deleted or corrupted. We recommend that all StoreFront users affected take prompt steps to protect their webs.

Who is affected?
If you have downloaded Service Pack 12, or purchased StoreFront after 7/21/00, then you already have the security fix.
If you have a copy of StoreFront 2000 obtained prior to 7/26 12:00PM CST, then you will need to take steps to apply the security fix.

How can the risk be eliminated?

  1. Download and install Service Pack 12 from theStoreFront Components Library.

  2. If you prefer not to install the entire Service Pack 12, you can download and install the patched search_result.asp file from theStoreFront Components Library. Just replace the existing copy of search_result.asp with the new file. Detailed instructions are in the readme.txt with the download.

  3. If you’ve customized the search_result.asp file to the point that you prefer not to overwrite the file, then you can make the necessary changes to the code yourself. To do this, open the file in Notepad and locate this line:

    SQLStmt = Request("SQLStmt")

    Immediately after this line insert the following block of code. AttentionPlease note that all of the code from If to Then must all be on the same line. If you use notepad to edit this file, before editing turn the Word-Wrap function off under the Format menu.

    SQLStmtTest = UCASE(SQLStmt)
    If Instr(SQLStmtTest, "DELETE") or Instr(SQLStmtTest, "INSERT") or Instr(SQLStmtTest, "UPDATE") or Instr(SQLStmtTest, "CUSTOMER") or
    Instr(SQLStmtTest, "DROP") or Instr(SQLStmtTest, "ALTER") or
    Instr(SQLStmtTest, "CREATE") Then
    Response.Write "Invalid Query String"
    Response.End
    End If

    Save the file to complete the fix.

Browse more...
StoreFront 2000 Knowledge Base

e-mail E-mail this page
print Printer-friendly page