"extras" Directory Vulnerability Reminder
3rd August 2012 by Harald Ponce de Leon

We have been informed that a list of vulnerable sites has been recently published that have the "extras" directory publicly accessible on their servers. The "extras" directory is not part of the installation but is included in the osCommerce Online Merchant download packages to assist existing users upgrade their sites through various PHP and Perl scripts that had to be manually copied to the server. These scripts are no longer relevant to the newer releases and were removed from the download package 5 years ago for the v2.2 Release Candidate 1 release.

Due to an insecure directory listing implementation, the scripts could have allowed any file on the server to be read, including configuration files and database backups, if the location of the file is known. The contents of the "extras" directory include:

  • [DIR] button_template
  • [DIR] mysql_diff
  • [DIR] orders
  • [DIR] pr21_to_pr22
  • [DIR] taxes
  • [DIR] win32
  • mysql.php
  • update.php

As some of our earlier users have left this directory on their servers, we'd like to remind them to remove the "extras" directory entirely.

We'd like to thank Chad Greene (Manager, Facebook CERT) for informing us of the publication of affected sites.

Back to listing