osCommerce file_manager.php filename Variable Traversal Arbitrary File Access

2004-05-17T00:00:00
ID OSVDB:6308
Type osvdb
Reporter l0om(l0om@excluded.org)
Modified 2004-05-17T00:00:00

Description

Vulnerability Description

osCommerce contains a flaw that allows a remote attacker to view arbitrary files outside of the web path. The issue is due to the file_manager.php script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "filename" parameter.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

osCommerce contains a flaw that allows a remote attacker to view arbitrary files outside of the web path. The issue is due to the file_manager.php script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "filename" parameter.

Manual Testing Notes

http://[victim]/admin/file_manager.php?action=download&file name=../../../../../../../../etc/passwd

http://[victim]/admin/file_manager.php?action=read&filename=../../../../

References:

Vendor URL: http://www.oscommerce.com/ Security Tracker: 1010176 Secunia Advisory ID:11624 Other Advisory URL: http://www.excluded.org/advisories/advisory13.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-05/0162.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-03/0378.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-12/1276.html ISS X-Force ID: 16174 Bugtraq ID: 10364