SB2019082221 - Multiple vulnerabilities in osCommerce

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019082221

SB2019082221 - Multiple vulnerabilities in osCommerce

Published: August 22, 2019 Updated: August 8, 2020

Security Bulletin ID SB2019082221
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Arbitrary file upload (CVE-ID: CVE-2018-18572)

The vulnerability allows a remote privileged user to execute arbitrary code.

osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Because of this filter, script files with certain PHP-related extensions (such as .phtml and .php5) didn't execute in the application. But this filter didn't prevent the '.pht' extension. Thus, remote authenticated administrators can upload '.pht' files for arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI.


2) Code Injection (CVE-ID: CVE-2018-18573)

The vulnerability allows a remote privileged user to execute arbitrary code.

osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI.


Remediation

Install update from vendor's website.

References