# Exploit Title: OsCommerce/Creloaded tell a friend authentication bypass # Date: 04/02/2010 # Author: Nicolas Krassas # Version: $Id: tell_a_friend.php,v 1.1.1.1 2008/06/29 23:38:03 # Tested on: linux When /tell_a_friend.php is called directly the user is redirected at /product_info.php?products_id=0 where an access denied message is displayed. Providing a valid product id (eg. /tell_a_friend.php?action=process&products_id=[Product_id] ) though a guest user can bypass the restriction and send unsolicited mails through the system. Regards, Nicolas Krassas