Security Bloggers Network

Home » Security Bloggers Network » osClass 3.6.1: Remote Code Execution via Image File

osClass 3.6.1: Remote Code Execution via Image File

by Robin Peraglie on December 18, 2016

In this blog post, we examine three vulnerabilities that we detected in the open source marketplace software osClass 3.6.1:

Cross-Site Scripting
File Write
File Inclusion

By chaining these three vulnerabilities, the exploitation of the cross-site scripting issue leads to remote code execution on a targeted web server.

Cross-Site Scripting

The cross-site scripting vulnerability can be triggered by an authenticated administrator visiting a malicious link. Due to the generalized approach of input sanitization for HTML in osClass’s getParam() function, the parameter country_code is insufficiently secured for a JavaScript context in line 409.

oc-admin/themes/modern/settings/locations.php



		
			
				← Toolsmith – GSE Edition:  Image Steganography & StegExpose
				osClass 3.6.1: Remote Code Execution via Image File →



	

			
		Techstrong TV
Click full-screen to enable volume control
Watch latest episodes and shows 
Tech Field Day Events
Upcoming Webinars















			
			
Podcast

Listen to all of our podcasts 

						
						Secure by Design 
						
						 3 weeks ago | Jack Poller
Senator Sanders Wants to Own AI Companies — and Hand America’s Adversaries the Keys
 4 weeks ago | Jack Poller
NIST’s Nine: The PQC Signature Race Moves to Round Three
 4 weeks ago | Jack Poller
The Quantum Arms Race: Why Washington Just Wrote a $2 Billion Check to Nine Companies
 1 month ago | Jack Poller
Beyond Moore’s Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities
 1 month ago | Jack Poller
The Exception Economy: When Security Teams Stop Protecting and Start Negotiating
			
			


  
Press Releases


GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On
			
			
Subscribe to our Newsletters







					
					Most Read on the Boulevard
					
					Databricks Acquires Cybersecurity Startup Panther Labs to Fortify AI Defense
SailPoint Acquires Entro to Continuously Detect and Monitor Non-Human Identities
MSG Breach: Knicks Take the NBA Championship, ShinyHunters Takes the Data 
Malwarebytes Finds Ad Scams Hidden in 40+ World Cup Streaming Sites
F5 Embeds Neural Network in WAF Platform to Continuously Assess Risks
FortiBleed Leak Exposes VPN Credentials for Nearly 74,000 Fortinet Devices
Kodak Confirms Data Breach Claimed by ShinyHunters Extortion Gang
Microsoft Defender Zero-Day Privilege Escalation Vulnerability (RoguePlanet)
GitHub Locks Down npm: What the New Install Defaults Mean for Your Supply Chain
973 MCP Packages, 71% Single-Maintainer: A Practitioner’s Guide to AI Developer Security
		Industry Spotlight 			
								
						
						
							Cybersecurity Featured Industry Spotlight Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threats & Breaches 
							
								NYC Sewers Crawling With Rats and Potential Bad Actors 
							
							
								 June 18, 2026								Teri Robinson | 3 days ago
								0
							
						
					
								
						
						
							Cloud Security Cybersecurity Data Privacy Data Security Featured Incident Response Industry Spotlight Malware Mobile Security Network Security News Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threats & Breaches Vulnerabilities 
							
								Anthropic Mythos AI Model Strikes Fear in Trump Administration, U.S. Banks
							
							
								 April 12, 2026								Jeffrey Burt | Apr 12
								Comments Off on Anthropic Mythos AI Model Strikes Fear in Trump Administration, U.S. Banks
							
						
					
								
						
						
							AI and Machine Learning in Security Cybersecurity Featured Industry Spotlight Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight 
							
								The Day the Security Music Died
							
							
								 April 8, 2026								Alan Shimel | Apr 08
								Comments Off on The Day the Security Music Died
							
						
					
						
								
		Top Stories 			
								
						
						
							Cybersecurity Data Privacy Data Security Featured News Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight 
							
								Job Seekers Make for Vulnerable Targets
							
							
								 June 19, 2026								Teri Robinson | 2 days ago
								0
							
						
					
								
						
						
							Cybersecurity Data Security Featured News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight 
							
								MSG Breach: Knicks Take the NBA Championship, ShinyHunters Takes the Data 
							
							
								 June 18, 2026								Teri Robinson | 3 days ago
								0
							
						
					
								
						
						
							AI and Machine Learning in Security Cybersecurity Featured News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight 
							
								Trying to Control AI is Like Holding Sand
							
							
								 June 17, 2026								Alan Shimel | 3 days ago
								0
							
						
					
						
								

						
						Security Humor 
						
						
Fortinet® Follies
			
			
Download Free eBook

[su_panel border="0px solid #ddd" radius="0" text_align="center" padding-top="0px" padding-bottom="0px"]
			
			[/su_panel]



			
			
				


			
		
	
			
			

	
		
			
				
									
				
									
				
									
			

			
				
								


		
				
			

			
				
					Join the Community
Add your blog to Security Creators Network
Write for Security Boulevard
Bloggers Meetup and Awards
Ask a Question
Email: [email protected]
				
				
					Useful Links
About
Media Kit
Sponsor Info
Copyright
TOS
DMCA Compliance Statement
Privacy Policy
				
				
					Related Sites
Techstrong Group
Cloud Native Now
DevOps.com
Digital CxO
Techstrong Research
Techstrong TV
Techstrong.tv Podcast
DevOps Chat
DevOps Dozen
DevOps TV
				
			
		
	

			
				
					
						
							
		
		
		
		
		
	

	
							
															
						

						
						
							Copyright ©  2026  Techstrong Group Inc. All rights reserved.








	





		
		


				
 
  

 
  
×
	
			
		
		
		
		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

	







































































		
		
		
		
		
				Insert/edit link
		
		
			
				Enter the destination URL
				
					URL
					
				
				
					Link Text
					
				
				
					
					 Open link in a new tab
				
			
			Or link to existing content
			
				
					
						Search
						
						
					
				
				
					
					
						
					
				
				
					
						No search term specified. Showing recent items.
						
							Search or use up and down arrow keys to select an item.