Full Disclosure mailing list archives
Re: OS Commerce authentication bypass (ANONYMOUS REMOTE CODE EXECUTION)
From: Tim <tim-security () sentinelchicken org>
Date: Fri, 13 Nov 2009 09:55:03 -0800
I can confirm this vulnerability, having done research on it recently. See also: http://www.milw0rm.com/exploits/9556 For those who can't read past three lines: This results in ANONYMOUS REMOTE CODE EXECUTION due to the availability of the file manager script.
Patch: no official patches known
Somehow, the osCommerce developers don't consider this important enough to release a new 2.2 version. I believe there was one patch attempted in their git repository, but if you read their forums, all you get are a bunch of misguided posts on how to disable the file manager or change the default path of /admin/. After researching a number of public flaws in osCommerce and the development team's reaction to them, I'm quite concerned that so many people actually use this application. The osCommerce team's reaction to this issue is an embarassment to open source and PHP development, generally.
This is not the CSRF issue CVE-2009-0408 as there is no CSRF used in the above attack. Vulnerability #2 at http://secunia.com/advisories/33446/ (recently added) seems to be it, but I don't see why it's lumped in with the CSRF flaw...
Yes, this very much adds to the confusion of the issue. Secunia: Please fix your listing. CSRF is still an issue in the admin area, but the bigger (separate) issue is a complete authentication bypass in a badly designed /admin/ area. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OS Commerce authentication bypass lsi (Nov 13)
- Re: OS Commerce authentication bypass (ANONYMOUS REMOTE CODE EXECUTION) Tim (Nov 13)