2019-08-22 14:34:51
mitre
PUBLISHED
osCommerce 2.3.4.1 has an incomplete .htaccess for blacklist filtering in the "product" page. Remote authenticated administrators can upload new .htaccess files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI.