2019-08-22 14:33:07
mitre
PUBLISHED
osCommerce 2.3.4.1 has an incomplete .htaccess for blacklist filtering in the "product" page. Because of this filter, script files with certain PHP-related extensions (such as .phtml and .php5) didnt execute in the application. But this filter didnt prevent the .pht extension. Thus, remote authenticated administrators can upload .pht files for arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI.