[VIM] [Full-disclosure] bug in oscomerce
George A. Theall
theall at tenablesecurity.com
Wed Jun 7 19:52:03 EDT 2006
Steven M. Christey wrote:
> I've been spending too much time investigating this issue, so I gotta
> stop. But figured I'd forward it to VIM if someone else wants to
> investigate. Since I don't have a conclusion I'll leave it off
> Bugtraq.
osCommerce expects access to its administrative area to be handled by
the web server; eg, with a .htaccess file. It even includes an example
in the distribution file to take care of this:
http://www.oscommerce.info/kb/osCommerce/General_Information/Tips_and_Tricks/249
In some cases, though, it's possible this file will be ignored (eg, the
web server doesn't allow overrides) or the server doesn't grok .htaccess
files. Then, anyone will be able to access any of the administrative
scripts under admin/, including admin/file_manager.php.
I'm not clear if the original researcher understood this. If he did, I'd
agree with Frank Laszlo that it's not really an issue; otherwise, I'd
say it's part of a more general problem.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list