Bugtraq mailing list archives
Re: [Full-disclosure] bug in oscomerce
From: Frank Laszlo <laszlof () vonostingroup com>
Date: Sun, 04 Jun 2006 10:58:59 -0400
this would require access to the administrator panel to work, how is this a vuln?
zeus olimpusklan wrote:
########################################################################### #Advisory #2 Title: file Modification in osCommerce # # # Author: 0o_zeus_o0 # Contact: zeus () diosdelared com <mailto:zeus () diosdelared com> # Website: olimpusklan.org <http://olimpusklan.org> # Date: 27/12/2005 # Risk: High # Vendor Url: http://www.oscommerce.com/ # Affected Software: osCommerce # Non Affected: # # We Are: Olimpus KlaN # #TECHNICAL INFO #================================================================ # #it is simple to operate bug as long as the file file_manager.php #exists in the administration panel. # #thanks to this file we can visualize archives such as configure.php #bug is serious since if the file has permissions of writing can modify #the site or to accede to the FTP of the same one # #BUG #================================================================ #http://www.site.org/admin/file_manager.php #http://www.site.org/admin/file_manager.php?info=archive.php&action=edit #http://www.site.org/admin/file_manager.php?info= archive.php&action=edit # #VULNERABLE VERSIONS #================================================================ # All # # #================================================================ Contact information #0o_zeus_o0 #zeus () diosdelared com <http://diosdelared.com> #www.olimpusklan.org #================================================================ #greetz: lady fire, fraude, adi, xoxo , pandora, mbyte , S.s.m.##############################################################################------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Full-disclosure] bug in oscomerce Frank Laszlo (Jun 05)