osCommerce Remote Code Execution Vulnerability in Installer Unauthenticated Code Execution

A remote code execution vulnerability exists in osCommerce Online Merchant version 2.3.4.1. This issue arises from an insecure default configuration that leaves the /install/ directory accessible after installation, combined with missing authentication in the installer workflow. An unauthenticated attacker can exploit this by invoking the install_4.php script, injecting arbitrary PHP code into the configuration file, and executing it when the application includes the file, leading to a full server-side compromise.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server, with the potential for full server compromise.

Reproduction

To reproduce this vulnerability, first ensure that osCommerce version 2.3.4.1 is installed and that the /install/ directory has not been removed. An unauthenticated attacker can then access the 'install.php' script in the 'install' directory, appending '?step=4' to the request. This will trigger the installation process without any authentication checks. During this process, it's possible to inject PHP code into the 'DB_DATABASE' field, which will be written to the 'includes/configure.php' file. Once the code is injected, it can be executed by accessing the 'configure.php' file.