advisory13.txt

2004-05-19T00:00:00
ID PACKETSTORM:33379
Type packetstorm
Reporter l0om
Modified 2004-05-19T00:00:00

Description

                                        
                                            `l0om - l0om[at]excluded.org - www.excluded.org   
  
greets,   
while i was "warsearching" with google i suddenly   
have been on the admin interfaces of many oscommerce   
sites. i made a:   
allinurl:admin/file_manager.php   
  
for nomal you can only view your oscommerce   
directorys, but if you type in the following you can   
view any file on the server with the webservers   
permissions:   
file_manager.php?action=download&filename=../../../../../../../../  
etc/passwd   
  
as you have to be logged in this isnt hot but i think   
its better to know about it.   
  
  
l0om   
`