Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: PHP :: bt1300.txt

file inclusion vulnerability incpCommerce

ZH2003-31SA (security advisory): file inclusion vulnerability in cpCommerce

Published: 19 October 2003
Name: cpCommerce Affected Versions: 0.05f (and other versions?)
Issue: file inclusion vulnerability
Author: Astharot (at

Zone-H Security Team has discovered a flaw in cpCommerce. cpCommerce "is an
open-source e-commerce solution that is entirely template and module based.".

There's a file inclusion vulnerability in the _functions.php file, line 13-14:


Is it possible for a remote attacker to include an external file and execute
arbitrary commands with the privileges of the webserver (nobody by default).

To test the vulnerability try this:

In this way the file "" or
"" will be included and executed on
the server.

The author has been contacted and he published a temporary fix in the cpCommerce
website forum, waiting for the new version.

The patch is avaible here:;action=display;threadid=864.

Fix the script with the patch proposed by the author.

Link to ariginal article here: 

Astharot - Zone-H Admin
-- -
PGP Key:

Linux User #292132

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH