Posts

Showing posts from January, 2013

TomatoCart 1.x | Cross Site Request Forgery Protection Bypass via JavaScript Hijacking

1. OVERVIEW

TomatoCart 1.x versions are vulnerable to Cross Site Request Forgery
Protection Bypass.


2. BACKGROUND

TomatoCart is an innovative Open Source shopping cart solution
developed by Wuxi Elootec Technology Co., Ltd. It is forked from
osCommerce 3 as a separate project and is released under the GNU
General Public License V2. Equipped with the web2.0 Technology Ajax
and Rich Internet applications (RIAs), TomatoCart Team is devoted to
building a landmark eCommerce solution.


3. VULNERABILITY DESCRIPTION

TomatoCart 1.x versions contain a flaw related to the script
'/admin/tocdesktop.php' failure to properly protect the JavaScript
object, "token" which is used to prevent Cross Site Request Forgery
attack. This allows an attacker to gain access to the token object via
JavaScript Hijacking upon an administrator user's visit to his crafted
page. Using the compromised token value, the attacker will then be
able to perform administrator-privileged …

TomatoCart 1.x | Vulnerable Piwik Extension

1. OVERVIEW

TomatoCart 1.x versions include outdated and vulnerable Piwik extension < 0.5.5.


2. BACKGROUND

TomatoCart is an innovative Open Source shopping cart solution
developed by Wuxi Elootec Technology Co., Ltd. It is forked from
osCommerce 3 as a separate project and is released under the GNU
General Public License V2. Equipped with the web2.0 Technology Ajax
and Rich Internet applications (RIAs), TomatoCart Team is devoted to
building a landmark eCommerce solution.


3. VULNERABILITY DESCRIPTION

TomatoCart 1.x versions include outdated and vulnerable Piwik
extension < 0.5.5 according to the the Piwik SVN checkout date
specified in /ext/piwik/index.php. This Piwik version has known
vulnerabilities such as Cross Site Scripting, Arbitrary URL Redirect
and Denial-of-Service.


4. VERSIONS AFFECTED

1.x


5. PROOF-OF-CONCEPT/EXPLOIT

Refer to REFERENCES section for the OSVDB site URL featuring known
Piwik vulnerabilities.


6. SOLUTION

The vendor did not show commi…

TomatoCart 1.x | Unrestricted File Creation

1. OVERVIEW

TomatoCart 1.x versions are vulnerable to Unrestricted File Creation.


2. BACKGROUND

TomatoCart is an innovative Open Source shopping cart solution
developed by Wuxi Elootec Technology Co., Ltd. It is forked from
osCommerce 3 as a separate project and is released under the GNU
General Public License V2. Equipped with the web2.0 Technology Ajax
and Rich Internet applications (RIAs), TomatoCart Team is devoted to
building a landmark eCommerce solution.


3. VULNERABILITY DESCRIPTION

TomatoCart 1.x versions contain a flaw related to the /admin/json.php
script's failure to properly restrict created files. This may allow an
attacker to create arbitrary shell script to launch further attacks on
the application server.


4. VERSIONS AFFECTED

Tested on 1.1.8, 1.1.5


5. PROOF-OF-CONCEPT/EXPLOIT

/////////////////////////////////////////////////////////////////////
POST /admin/json.php HTTP/1.1
Host: localhost
Cookie: admin_language=en_US; toCAdminID=edfd1d6b88d0c853c2b83cc63aca5e14
Co…