<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos network security services platform

Bugtraq: oscommerce 2.2 file_manager.php file browsing

oscommerce 2.2 file_manager.php file browsing

From: Rene <l0om_at_excluded.org>
Date: 17 May 2004 19:37:16 -0000

('binary' encoding is not supported, stored as-is) l0om - l0om[at]excluded.org - www.excluded.org

greets,
while i was "warsearching" with google i suddenly
have been on the admin interfaces of many oscommerce
sites. i made a:
allinurl:admin/file_manager.php

for nomal you can only view your oscommerce
directorys, but if you type in the following you can
view any file on the server with the webservers
permissions:
file_manager.php?action=download&filename=../../../../../../../../
etc/passwd

as you have to be logged in this isnt hot but i think
its better to know about it.

l0om
Received on May 17 2004

This message: [ Message body ]
Next message: Drew Copley: "RE: Still Vulnerable in MSIE"
Previous message: Janek Vind: "[waraxe-2004-SA#029 - Possible remote file inclusion in PhpNuke 6.x - 7.3]"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]