lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 17 May 2004 19:37:16 -0000 From: Rene <l0om@...luded.org> To: bugtraq@...urityfocus.com Subject: oscommerce 2.2 file_manager.php file browsing l0om - l0om[at]excluded.org - www.excluded.org greets, while i was "warsearching" with google i suddenly have been on the admin interfaces of many oscommerce sites. i made a: allinurl:admin/file_manager.php for nomal you can only view your oscommerce directorys, but if you type in the following you can view any file on the server with the webservers permissions: file_manager.php?action=download&filename=../../../../../../../../ etc/passwd as you have to be logged in this isnt hot but i think its better to know about it. l0om
Powered by blists - more mailing lists