1 reply to this topic

[obnoxious_easiness]

First of all - you are awesome!
We really appreciate your (insecure?) work; don't eat snakes, they taste really bad

Well, I'll immediately come to the point.
Whilst reviewing the source of osCommerce 3.0.1, we found an LFI in /osCommerce/OM/Core/Site/Admin/Application/modules_order_total/pages/edit.php concerning the GET parameter 'module'.
But by trying to exploit it it, there occured weird things... On some servers there was no chance, to display /etc/passwd. We couldn't figure out why these issues happend to us!? =(
As far as we know, the commited relative path IS right.
Can you help us, please? We really want to rule the world and spread our love.

Btw, is it normal that /osCommerce/OM/Config/settings.ini is just readable for everyone?

Okay, guys, thanks a lot.

Yours faithfully

die_Spinne & b0red
feel free to contact us: b0red@bk.ru

[Harald Ponce de Leon]

Hi..

Thanks for catching this! The "osCommerce" directory should be moved outside the public html directory so only index.php and the "public" directory are publicly accessible. v3.0.2 will include a .htaccess file in "osCommerce/OM" to deny access to its files incase the directory is not moved.

Kind regards,