what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TomatoCart 1.x Cross Site Scripting / SQL Injection

TomatoCart 1.x Cross Site Scripting / SQL Injection
Posted Aug 6, 2014
Authored by Kenny Mathis

TomatoCart version 1.x (latest-stable) suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
advisories | CVE-2014-3830, CVE-2014-3978
SHA-256 | cd380b42173cb9381f2c2e040433d1adfe568239973fe9274ff5f404846bf040

TomatoCart 1.x Cross Site Scripting / SQL Injection

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2014-3978 - Remote SQL Injection Vulnerability
CVE-2014-3830 - Reflected Cross Site Scripting

-
------------------------------------------------------------------------------
Title:
TomatoCart v1.x (latest-stable) Remote SQL Injection Vulnerability

Background:
TomatoCart is open source ecommerce solution developed and
maintained by a
number of 64,000+ users from 50+ countries and regions. It's distributed
under
the terms of the GNU General Public License (or "GPL"), free to download and
share. The community, including project founders and other developers, are
supposed to work together on the platform of TomatoCart, contributing
features,
technical support and services. The current stable package is TomatoCart
V1.1.8.6.1, while the latest development version is version 2.0 Alpha
4. This
exploit affects the "stable" tree.

Timeline:
06 June 2014 - CVE-2014-3978 assigned
06 June 2014 - Submitted to vendor
25 June 2014 - Received inadequate patch from vendor
26 June 2014 - Suggested patch sent to vendor
17 July 2014 - Request for update from vendor, no response.
05 August 2014 - Pull request sent on github for full patch

Status:
Vendor ignored, see suggested fix below.

Released:
05 August 2014 -
https://breaking.technology/advisories/CVE-2014-3978.txt

Classification:
SQL Injection

Exploit Complexity:
Low

Severity:
High

Description:
TomatoCart suffers from a systemic vulnerability in its query factory,
allowing attackers to circumvent user input sanitizing to perform remote SQL
injection.

Required Information:
* Valid user account

PoC:
Create a new contact in your address book using the following values.

First name: :entry_lastname,
Last Name : ,(select user_name from toc_administrators order by id asc
limit 1),(select user_password from toc_administrators order by id asc limit
1),3,4,5,6,7,8,9,10)#

The new contact will be added to your address book with the admin
hash as
the contact's street address

Suggested Action:
Pull request has been sent to the developers on github. Recommend
patching
the required to properly encode colon (:)
https://github.com/tomatocart/TomatoCart-v1/pull/238




-
------------------------------------------------------------------------------

Title:
TomatoCart v1.x Reflected Cross Site Scripting Vulnerability

Background:
TomatoCart is open source ecommerce solution developed and
maintained by a
number of 64,000+ users from 50+ countries and regions. It's distributed
under
the terms of the GNU General Public License (or "GPL"), free to download and
share. The community, including project founders and other developers, are
supposed to work together on the platform of TomatoCart, contributing
features,
technical support and services. The current stable package is TomatoCart
V1.1.8.6.1, while the latest development version is version 2.0 Alpha
4. This
exploit affects the "stable" tree.


Timeline:
22 May 2014 - CVE-2014-3830 assigned
06 June 2014 - Submitted to vendor
25 June 2014 - Received inadequate patch from vendor
26 June 2014 - Suggested patch sent to vendor
17 July 2014 - Request for update from vendor, no response.
05 August 2014 - Pull request sent on github for full patch

Status:
Vendor ignored, see suggested fix below.

Released:
05 August 2014 -
https://breaking.technology/advisories/CVE-2014-3830.txt

Classification:
Reflected Cross Site Scripting

Exploit Complexity:
Low

Severity:
Moderate

Description:
TomatoCart suffers from a lack of and/or improper input validation

PoC:

http://tomatocartserver/info.php?faqs&faqs_id=1';</script><script>alert('xss');<
/script>

Suggested Action:
Pull request has been sent to the developers on github. Recommend
patching
the required files to properly use htmlentities() for input variables
https://github.com/tomatocart/TomatoCart-v1/pull/238


-
------------------------------------------------------------------------------


Again, we would like to stress that this is NOT a guarantee of the
security of
this product. This simply fixes the SQL injection vulnerabilities we
were able
to discover on our first glance. If we were able to discover these
at-a-glance
then imagine what could potentially be in the wild.


- - - Breaking Technology Staff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJT4i+VAAoJEEabgwf7HzMLHuEP/A+ApRJqGYvh4y2324BvqL3B
Dq9RDR+JhxGPZoOICECMgGTjIQUN4jWRpVOw+uG7ApTxakChIb80P6aSbCr1uWIs
nYGqnE48GqIzKrCmNu4w4TjBywsjDdUMkUyrpZQgo+lcsG+7eGFxq3r6FoKiNSZL
Kd9jXCyWOY6F+KuWXRbLdYjKBP8f4Mog/RjANibP61OUpicJ2wV0Hvf9WN+ZAYO7
VRMrBa7hp2lBu9Wz9RuELCHLnkCZqS03kUFNLTbDEKwBnTIteT1vxCe1gmyU9kUv
kgdqwv71eOjhf5Vz9SmmvUO6FeZ3RkIhPaNB8W0c2jjdpFjCqFA7o69ZrR3KTfYl
69XIQTo0EnjMw2ABtvtGCLSC/x+GlxrD2kMSxmTrrFkMN23i+NZoNp/YJxNekXXS
FaAW2kXph4O52KFYLCO3S99Ga+bDxUfbS/q8+K/L8C70PeyS9HiipC4Fa/DCVWjG
xBq71BV1MVEZv3T67m/8Bu5lH1pyXRz9k65gLWAkJe6dBwZY2drwelefXOSourTF
08Ec7zrGWhNjzxdmwNGvbXBxEBa5HeamKJWOeNrOxe7GAaXLYZJGtG6iFFyHagYh
5zR+i1TeSydN0Px369vA5f5LIGza8+Phzv7J9XCXuqtppXA4TE5sTp28Q5r5fMW+
r6GEiiy9fYNLRYzt4/la
=I0ak
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close