← Advisories

TomatoCart 1.0.1 (json.php) Remote Cross-Site Scripting Vulnerability

Medium

Advisory ID

ZSL-2010-4968

Release Date

06 October 2010

Vendor

Wuxi Elootec Technology Co., Ltd. - http://www.tomatocart.com

Affected Version

1.0.1

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (English), Apache 2.2.14 (Win32), MySQL 5.1.41, PHP 5.3.1

Summary

TomatoCart is the new generation of open source shopping cart solution developed by Elootec Technology Co., Ltd. It is branched from osCommerce 3 as a separate project.

Description

TomatoCart version 1.0.1 suffers from a XSS vulnerability because input passed via the "action" parameter to json.php script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

 Warning: call_user_func() expects parameter 1 to be a valid callback,
 class 'toC_Json_Checkout' does not have a method '1' in \tomatocart\includes\classes\json.php on line 64

 Line 64: call_user_func(array('toC_Json_' . ucfirst($module), $action));

 --

 $action = $_REQUEST['action'];

Proof of Concept

tomatocart_xss.txtTXT

Disclosure Timeline

01.10.2010Vulnerability discovered.

02.10.2010Vendor contacted.

05.10.2010No reply from vendor.

06.10.2010Public advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://secunia.com/advisories/40454/

[2]http://www.packetstormsecurity.org/filedesc/ZSL-2010-4968.txt.html

[3]http://securityreason.com/wlb_show/WLB-2010100037

Changelog

06.10.2010Initial release

07.10.2010Added reference [2] and [3]