CVE-2002-1991

osCommerce 2.1 - Remote Code Execution via Include File Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-1991.

AI-analyzed exploit summary The exploit demonstrates a remote file inclusion (RFI) vulnerability in osCommerce, allowing an attacker to include and execute arbitrary PHP code from a remote server. This leads to remote code execution (RCE) with the privileges of the webserver.

Description

PHP file inclusion vulnerability in osCommerce 2.1 execute arbitrary commands via the include_file parameter to include_once.php.

Exploits (1)

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/21563

View Code ZIP pw:eip

The exploit demonstrates a remote file inclusion (RFI) vulnerability in osCommerce, allowing an attacker to include and execute arbitrary PHP code from a remote server. This leads to remote code execution (RCE) with the privileges of the webserver.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: osCommerce

No auth needed

Prerequisites: Remote server hosting malicious PHP script · Network access to the vulnerable osCommerce instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1218 - System Binary Proxy Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://online.securityfocus.com/archive/1/277312

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/5037

Third Party Advisory vdb-entry x_refsource_xf

http://www.iss.net/security_center/static/9369.php

Various Sources x_refsource_confirm

http://www.oscommerce.com/about.php/news%2C72

Scores

EPSS 0.0746

EPSS Percentile 93.7%

Details

CWE

CWE-94

Status published

Products (1)

oscommerce/oscommerce 2.1

Published Dec 31, 2002

Tracked Since Feb 18, 2026