oscommerce authentication bypass

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : oscommerce authentication bypass
# Published : 2011-02-04
# Author : Nicolas Krassas
# Previous Title : Lingxia I.C.E CMS Remote Blind SQL Injection Exploit
# Next Title : dotProject 2.1.5 CSRF Vulnerability

This is a bug on old oscommerce / creloaded i just didn't find it in the
exploit-db database on the search.

# Exploit Title: OsCommerce/Creloaded tell a friend authentication bypass
# Date: 04/02/2010
# Author: Nicolas Krassas
# Version: $Id: tell_a_friend.php,v 1.1.1.1 2008/06/29 23:38:03
# Tested on: linux

When /tell_a_friend.php is called directly the user is redirected at
/product_info.php?products_id=0 where an access denied message is displayed.
Providing a valid product id (eg.
/tell_a_friend.php?action=process&products_id=[Product_id] ) though a guest
user can bypass the restriction and send unsolicited mails through the
system.

Regards,
Nicolas Krassas