osCommerce Admin Access With Levels plugin in_login Authenticatin Bypass
Remote / Network Access
Loss of Confidentiality
osCommerce contains a flaw in Admin Access With Levels plugin that may allow a malicious user to gain access to administrative functions. The issue is triggered when an attacker accesses scripts in the "admin/" directory by supplying any non-zero value to the "in_login" parameter. This flaw may lead to a loss of Confidentiality.
Upgrade to version 2.2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: implement a .htaccess protection scheme for older versions