#oscom22

If you're using an earlier version of osCommerce Online Merchant before v2.2 Release Candidate 1 (July 2007), please make sure the "extras" directory is not publicly accessible on the server if it has been copied over. This directory is not part of the installation and had to be separately copied over if upgrades were being performed from even earlier releases.

A list of affected servers has recently been published that unfortunately still have the "extras" directory publicly accessible.

If left on the server, the scripts in the directory may allow any file on the server to be read due to an insecure directory listing implementation.

More information at: