[VIM] [Full-disclosure] bug in oscomerce
Steven M. Christey
coley at mitre.org
Wed Jun 7 18:23:39 EDT 2006
I've been spending too much time investigating this issue, so I gotta
stop. But figured I'd forward it to VIM if someone else wants to
investigate. Since I don't have a conclusion I'll leave it off
Bugtraq.
Is there a reason the original post didn't make it into any vuln dbs?
original ref was:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040647.html
dispute here:
BUGTRAQ:20060604 Re: [Full-disclosure] bug in oscomerce
http://www.securityfocus.com/archive/1/archive/1/435976/100/0/threaded
========================
Frank Laszlo asked:
>this would require access to the administrator panel to work, how is
>this a vuln?
Does admin/file_manager.php require authentication to be accessed? If
it doesn't, then this admin functionality would be exposed to anyone
who can make a direct request to the file. This is a pretty standard
problem in web applications.
I don't know if that's the case here - the original researcher was not
precise about this, and the source code does not have any obvious
authentication. The default distribution has a .htaccess in the admin
directory, but there's nothing specifying authentication. A grep of
file_manager.php for "pass", "auth", "admin", and "check" yields
nothing. Still, maybe the authentication is going on elsewhere.
Oh, by the way - the source code in oscommerce 2.2 Milestone 2 Update
051113 says:
Server Requirement Error: register_globals is disabled in your PHP
configuration. This can be enabled in your php.ini configuration
file or in the .htaccess file in your catalog directory.
(for those who have suggested that we should ignore issues involving
register_globals)
- Steve
More information about the VIM
mailing list