[<prev] [next>] [day] [month] [year] [list]
Message-ID: <53E22B1D.9030402@breaking.technology>
Date: Wed, 06 Aug 2014 09:18:21 -0400
From: Kenny Mathis <kenny@...aking.technology>
To: fulldisclosure@...lists.org
Subject: [FD] TomatoCart v1.x (latest-stable) Multiple Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2014-3978 - Remote SQL Injection Vulnerability
CVE-2014-3830 - Reflected Cross Site Scripting
-
------------------------------------------------------------------------------
Title:
TomatoCart v1.x (latest-stable) Remote SQL Injection Vulnerability
Background:
TomatoCart is open source ecommerce solution developed and
maintained by a
number of 64,000+ users from 50+ countries and regions. It's distributed
under
the terms of the GNU General Public License (or "GPL"), free to download and
share. The community, including project founders and other developers, are
supposed to work together on the platform of TomatoCart, contributing
features,
technical support and services. The current stable package is TomatoCart
V1.1.8.6.1, while the latest development version is version 2.0 Alpha
4. This
exploit affects the "stable" tree.
Timeline:
06 June 2014 - CVE-2014-3978 assigned
06 June 2014 - Submitted to vendor
25 June 2014 - Received inadequate patch from vendor
26 June 2014 - Suggested patch sent to vendor
17 July 2014 - Request for update from vendor, no response.
05 August 2014 - Pull request sent on github for full patch
Status:
Vendor ignored, see suggested fix below.
Released:
05 August 2014 -
https://breaking.technology/advisories/CVE-2014-3978.txt
Classification:
SQL Injection
Exploit Complexity:
Low
Severity:
High
Description:
TomatoCart suffers from a systemic vulnerability in its query factory,
allowing attackers to circumvent user input sanitizing to perform remote SQL
injection.
Required Information:
* Valid user account
PoC:
Create a new contact in your address book using the following values.
First name: :entry_lastname,
Last Name : ,(select user_name from toc_administrators order by id asc
limit 1),(select user_password from toc_administrators order by id asc limit
1),3,4,5,6,7,8,9,10)#
The new contact will be added to your address book with the admin
hash as
the contact's street address
Suggested Action:
Pull request has been sent to the developers on github. Recommend
patching
the required to properly encode colon (:)
https://github.com/tomatocart/TomatoCart-v1/pull/238
-
------------------------------------------------------------------------------
Title:
TomatoCart v1.x Reflected Cross Site Scripting Vulnerability
Background:
TomatoCart is open source ecommerce solution developed and
maintained by a
number of 64,000+ users from 50+ countries and regions. It's distributed
under
the terms of the GNU General Public License (or "GPL"), free to download and
share. The community, including project founders and other developers, are
supposed to work together on the platform of TomatoCart, contributing
features,
technical support and services. The current stable package is TomatoCart
V1.1.8.6.1, while the latest development version is version 2.0 Alpha
4. This
exploit affects the "stable" tree.
Timeline:
22 May 2014 - CVE-2014-3830 assigned
06 June 2014 - Submitted to vendor
25 June 2014 - Received inadequate patch from vendor
26 June 2014 - Suggested patch sent to vendor
17 July 2014 - Request for update from vendor, no response.
05 August 2014 - Pull request sent on github for full patch
Status:
Vendor ignored, see suggested fix below.
Released:
05 August 2014 -
https://breaking.technology/advisories/CVE-2014-3830.txt
Classification:
Reflected Cross Site Scripting
Exploit Complexity:
Low
Severity:
Moderate
Description:
TomatoCart suffers from a lack of and/or improper input validation
PoC:
http://tomatocartserver/info.php?faqs&faqs_id=1';</script><script>alert('xss');<
/script>
Suggested Action:
Pull request has been sent to the developers on github. Recommend
patching
the required files to properly use htmlentities() for input variables
https://github.com/tomatocart/TomatoCart-v1/pull/238
-
------------------------------------------------------------------------------
Again, we would like to stress that this is NOT a guarantee of the
security of
this product. This simply fixes the SQL injection vulnerabilities we
were able
to discover on our first glance. If we were able to discover these
at-a-glance
then imagine what could potentially be in the wild.
- - Breaking Technology Staff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJT4isdAAoJEEabgwf7HzMLZq4P/jA5Q5GCsaNEcntpPxKDubNL
kI3NGsXxE/4tLIMEuMASyJe4qL2zRWot/2/WISomKULbJAV2pd6Xmmn9v9ZFx0Cc
CLICcoQ6S25goGwO5eyxWXNw9APgTOChsmjvwC8lv8CddLA4Swg06mkXq0FtDxBE
D7n5E9IZpH12VJ4zOQrUXWxRaabN76Ctpyhax6I0Qu+FydZksBEVgMTWgiU62Day
UNxkdIB0xPrtiisfxgFgwxEupKqYhuxuzPxPSA/hJCIE+9zv4u2N7RK0+ROznjF9
RyBz6QY6IluBzuKIaf596WG+Wy8XEzuvjH1wy4YKq/vBlj0srdLMenopPQjFz2U8
qbx7Us6Kojh6tBM7k/2oXlo+FRRf6Y+N9K34stExkgIqJpha4SgjZSJBtOlNo435
2n1y0sexUNZiO9Iwlr4TLO7kwzvC61w1KQ9hVtg9a+IdvIuEzXi6P6tAvBcwvLs/
Rvi8swMThWHPAhfgNb++J8Q3s5Jpth+3tN9yjUrtu/uYVenMgfGA2QkxOVEE0gM5
9JAL/U+8kAZTS4/DFYwX5CpxCD2IaTZjc5t2unXORcAah3h9TTO6i70P1GWqTj5H
XFukGw0yTKwmoR7HbOXYcDuc0SYr6ifqdf7FvrPgLXxvsVcV/vP59EjETHpGXFlU
gQgM5JGJ7MvA6ZJ0Owxk
=9rq3
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists