Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

fix for file disclosure bug in admin

Oleg S.

Recommended Posts

in 'file_manager.php' after the line


      case 'download':


add the following code:


        if (strstr($HTTP_GET_VARS['filename'], '..')) {



osCommerce's File Manager Arbitrary File Disclosure






" <http://www.oscommerce.com/> osCommerce is an online shop e-commerce

solution under on going development by the open source community. Its

feature packed out-of-the-box installation allows store owners to setup,

run, and maintain their online stores with minimum effort and with

absolutely no costs or license fees involved". A vulnerability in the

product allows a remote attacker to access files that reside outside the

bound HTML root directory.




Normally osCommerce will allows you to view only osCommerce's directories,

however, if you type in the following you can view any file on the server

with the web server's permissions:


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...