SQL injection in partner id field on https://www.teavana.com (Sign-up form)
Medium
S
Starbucks
Submitted None
Actions:
Reported by
bigbug
Vulnerability Details
Technical details and impact analysis
While signing up for "teavana" shopping account on it came to notice that the partner id validation fails and exists SQL injection.
So this is what I did:
1) Visit https://www.teavana.com/us/en/account
2) Click on signin > create shopping account
3) In the partnerno, gave an input of "1234" (1.PNG)
Result :No issue as expected . Signup fails
message: "We are unable to verify starbucks partner id" (2 .PNG)
4) Changed input to "1234' OR 1=1" (without double qoutes) (3.PNG)
Result: This time signup succeeds!!! (4.PNG)
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
SQL Injection