osCommerce Unprotected Admin Directory

high Nessus Plugin ID 19253

Synopsis

The remote web host contains a PHP application that can be administered by anyone.

Description

The installation of osCommerce on the remote host apparently lets anyone access the application's admin directory, which means that they have complete administrative access to the site.

Solution

Limit access to the directory using Apache's .htaccess or an equivalent technique.

See Also

https://library.oscommerce.com/docs/english/e_post-installation.html

Plugin Details

Severity: High

ID: 19253

File Name: oscommerce_admin_access.nasl

Version: 1.15

Type: remote

Family: CGI abuses

Published: 7/21/2005

Updated: 6/1/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

Required KB Items: www/oscommerce

Excluded KB Items: Settings/disable_cgi_scanning

Exploited by Nessus: true