osCommerce Admin Access With Levels Plugin Bypass Vulnerability Published: Apr 29, 2004

• Rating

  1/5

osCommerce is an online shop e-commerce solution which has a vulnerability in Admin Access With Levels plugin for osCommerce.

What Is osCommerce?   

osCommerce is an online shop e-commerce solution under on going development by the open source community. Its feature packed out-of-the-box installation allows store owners to setup, run, and maintain their online stores with minimum effort and with absolutely no costs or license fees involved.

osCommerce combines open source solutions to provide a free and open e-commerce platform, which includes the powerful PHP web scripting language, the stable Apache web server, and the fast MySQL database server.

With no restrictions or special requirements, osCommerce is able to run on any PHP enabled web server, on any environment that PHP and MySQL supports, which includes Linux, Solaris, BSD, Mac OS X, and Microsoft Windows environments.
http://www.oscommerce.com/

osCommerce Security Description
Ilya Sher has reported a vulnerability in Admin Access With Levels plugin for osCommerce, allowing malicious people to access administrative functions.

The problem is that it is possible to access scripts in the "admin/" directory by supplying any non-zero value to the "in_login" parameter.

Version 1.5.1 is reportedly vulnerable. Prior versions may also be affected.

Solution
The developer of osCommerce responded that "we do not provide support for contributions" and that "contributions are used at own risk".

Protect "admin/" using .htaccess or similar.

Use another product.