source: https://www.securityfocus.com/bid/50301/info osCommerce is prone to a remote file upload and a file disclosure vulnerability. The issues occur because the application fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload a file and obtain an arbitrary file's content; other attacks are also possible. The following URL is available for the file disclosure vulnerability: http://www.example.com/admin/shop_file_manager.php/login.php/login.php?action=download&filename=/includes/_includes_configure.php The following exploit is available for the remote file upload vulnerability: