CVE-2018-18572

Name of the Vulnerable Software and Affected Versions osCommerce version 2.3.4.1

Description The issue arises from an incomplete '.htaccess' file for blacklist filtering on the product page, which fails to prevent the execution of files with the '.pht' extension. This allows remote authenticated administrators to upload '.pht' files, leading to arbitrary PHP code execution. The exploitation occurs via the "/catalog/admin/categories.php?cPath=&action=new product" API endpoint, specifically by manipulating the cPath and action variables.

Recommendations For osCommerce version 2.3.4.1, update the '.htaccess' file to include the '.pht' extension in the blacklist filter to prevent arbitrary PHP code execution. As a temporary workaround, consider restricting access to the "/catalog/admin/categories.php" API endpoint for authenticated administrators until a patch is available.