TomatoCart 1.2.0 Alpha 2 Local File Inclusion Vulnerability

ID 1337DAY-ID-19681
Type zdt
Reporter Canberk BOLAT
Modified 2012-10-28T00:00:00


TomatoCart version 1.2.0 Alpha 2 suffers from a local file inclusion vulnerability.

Name :  Local File Inclusion Vulnerability in TomatoCart
Software :  TomatoCart 1.2.0 Alpha 2 and possibly below.
Vendor Homepage :
Vulnerability Type :  Local File Inclusion
Severity :  Critical
Researcher :  Canberk Bolat
Advisory Reference :  NS-12-004

TomatoCart is a professional and innovative open source eCommerce
solution. The back-end is an impressive desktop-like ExtJS-powered
interface, offering significant usability improvements and user
experience. It's the most easy-to-use shopping cart.

TomatoCart is affected by a Local File Inclusion vulnerability in
version 1.2.0 Alpha 2.
Example PoC url is as follows :

You can read the full article about Local File Inclusion vulnerability
from here :

No patch released.

Advisory Timeline
30/09/2011 - First contact: No response
26/12/2011 - Second contact: No response
28/03/2012 - Vulnerability Released

It has been discovered on testing of Netsparker, Web Application
Security Scanner -

MSL Advisory Link :
Netsparker Advisories :

# [2018-04-03]  #