[VIM] [Full-disclosure] bug in oscomerce
security curmudgeon
jericho at attrition.org
Mon Jun 19 02:46:47 EDT 2006
: I've been spending too much time investigating this issue, so I gotta
: stop. But figured I'd forward it to VIM if someone else wants to
: investigate. Since I don't have a conclusion I'll leave it off Bugtraq.
:
: Is there a reason the original post didn't make it into any vuln dbs?
I can't find the reference, but I could have sworn this is a) intended
functionality and b) requires authentication.
However, since the original post, OSVDB has included such issues if a web
application admin can edit a .php file to include arbitrary code that
would be executed on the server. Just because I have privilege to admin a
blog, doesn't mean I should be able to run *any* PHP code on a server.
However, if the application limits what can be added to a file,
non-issue.
More information about the VIM
mailing list