lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun Jun 4 16:34:34 2006 From: laszlof at vonostingroup.com (Frank Laszlo) Subject: bug in oscomerce this would require access to the administrator panel to work, how is this a vuln? zeus olimpusklan wrote: > ########################################################################### > #Advisory #2 Title: file Modification in osCommerce > # > # > # Author: 0o_zeus_o0 > # Contact: zeus@...sdelared.com <mailto:zeus@...sdelared.com> > # Website: olimpusklan.org <http://olimpusklan.org> > # Date: 27/12/2005 > # Risk: High > # Vendor Url: http://www.oscommerce.com/ > # Affected Software: osCommerce > # Non Affected: > # > # We Are: Olimpus KlaN > # > #TECHNICAL INFO > #================================================================ > # > #it is simple to operate bug as long as the file file_manager.php > #exists in the administration panel. > # > #thanks to this file we can visualize archives such as configure.php > #bug is serious since if the file has permissions of writing can modify > #the site or to accede to the FTP of the same one > # > #BUG > #================================================================ > #http://www.site.org/admin/file_manager.php > #http://www.site.org/admin/file_manager.php?info=archive.php&action=edit > #http://www.site.org/admin/file_manager.php?info= archive.php&action=edit > # > #VULNERABLE VERSIONS > #================================================================ > # All > # > # > #================================================================ > Contact information > #0o_zeus_o0 > #zeus@...sdelared.com <http://diosdelared.com> > #www.olimpusklan.org > #================================================================ > #greetz: lady fire, fraude, adi, xoxo , pandora, mbyte , S.s.m. > ############################################################################## > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists