CVE-2006-6533

Name of the Vulnerable Software and Affected Versions osCommerce version 3.0a3

Description A directory traversal issue exists, allowing remote attackers to include and execute arbitrary PHP files by using a .. (dot dot) in the filter parameter of the admin/templates boxes layout.php file. This issue can also be used to obtain full path information from error messages.

Recommendations For osCommerce version 3.0a3, as a temporary workaround, consider restricting access to the admin/templates boxes layout.php file until a patch is available. Avoid using the filter parameter in this file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.