CVE-2011-4543

Name of the Vulnerable Software and Affected Versions osCommerce version 3.0.2

Description The issue allows remote attackers to include and execute arbitrary local files via directory traversal vulnerabilities. This can be achieved by manipulating the set or module parameter in various PHP files, such as /OM/Core/Site/Admin/Application/templates modules/pages/info.php, /OM/Core/Site/Admin/Application/templates modules/pages/edit.php, and others. Additionally, vulnerabilities exist in other parameters like filter and template across different pages.

Recommendations For osCommerce version 3.0.2, consider disabling access to the vulnerable PHP files until a patch is available. Restrict the use of the set, module, filter, and template parameters in the affected API endpoints to minimize the risk of exploitation. Avoid using these parameters in the specified pages, such as /OM/Core/Site/Admin/Application/templates modules/pages/info.php, until the issue is resolved.