Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | osCommerce File Manager vulnerability |
|---|
Categorie: Vulnerability
Posted: 2005-03-26 by basher13
Views: 1244
| Current Rating: Not rated
|
| | Details |
|---|
Date:
2:39 AM 3/26/2005
Subject:
"osCommerce File Manager vulnerability"
Description:
osCommerce is an online shop e-commerce solution under on going development by the
open source community. Its feature packed out-of-the-box installation allows store
owners to setup, run, and maintain their online stores with minimum effort and with
absolutely no costs or license fees involved.
osCommerce combines open source solutions to provide a free and open e-commerce platform,
which includes the powerful PHP web scripting language, the stable Apache web server, and
the fast MySQL database server.
Vulnerability:
osCommerce File Manager vulnerable let user anonymous get Administration privileges
User may type on google.com to search osCommerce vulnerable whit do like "inurl:admin/file_manager.php"
,if lucky PHP file manager for Administration will be seen,then user anonymous can do or
act like as administration privileges of the webservice,Such as upload,delete,or rename a file.
Solution:
Bugs has fixed on next version.Other advice to keep secure is,
protect the line of PHP script (file_manager.php) whit use a password authenticate to the database.
A sample PHP script User Authentication;
$username = "adm";
$password = "pass";
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Site"');
header('HTTP/1.0 401 Unauthorized');
echo 'Get a better day!';
exit();
} else {
if (($_SERVER['PHP_AUTH_USER'] == $username) && ($_SERVER['PHP_AUTH_PW'] == $password)) {
echo "The username and password you have entered are correct!";
} else {
echo "The username and/or password you have entered is incorrect!";
exit();
}
}
Vendor URL:
http://www.oscommerce.com/
Reported by
basher13 [at]linuxmail.org
Infamous Group - http://98.to/infamous
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=1450
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
