Seditio CMS 1.7.1 Password Disclosure

2015-07-27T00:00:00
ID PACKETSTORM:132850
Type packetstorm
Reporter Arash Khazaei
Modified 2015-07-27T00:00:00

Description

                                        
                                            `[+] Exploit Title: Seditio CMS Multiple Vulnerabilities  
[+] Google Dork: intext:"Powered by Seditio CMS"  
[+] Date: 27/7/2015  
[+] Exploit Author: Arash Khazaei  
[+] Vendor Homepage: http://www.seditiocms.com/  
[+] Software Link: http://www.seditiocms.com/page.php?id=20&a=dl  
[+] Version: 1.7.1(Last Version)  
[+] Tested on: Kali , Windows  
[+] CVE : N/A  
  
===============================  
Introduction :  
1- a vulnerability in seditio cms reveal Admin Password For Attacker.  
2- another Vulnerability in This CMS Is After Admin Logged Out Session Will  
Be Not Expired .  
===============================  
Reaval Admin Password :  
POC 1:  
in seditio CMS If We Login With Remember Feature CMS Make COokies Like This  
:  
  
MTpfOjU4YjU0NDRjZjFiNjI1M2E0MzE3ZmUxMmRhZmY0MTFhNzhiZGEwYTk1Mjc5YjFkNTc2OGViZjVjYTYwODI5ZTc4ZGE5NDRlOGE5MTYwYTBiNmQ0MjhjYjIxM2U4MTM1MjVhNzI2NTBkYWM2N2I4ODg3OTM5NGZmNjI0ZGE0ODJmOl86c3BlY2lhbA==  
  
if we decode This base64 Encoded Text We Got This :  
  
1:_:58b5444cf1b6253a4317fe12daff411a78bda0a95279b1d5768ebf5ca60829e78da944e8a9160a0b6d428cb213e813525a72650dac67b88879394ff624da482f:_:special  
  
If Look Between 1:_: We Have hashed Password Of Admin In This case Hashed  
Password Is admin1 .  
  
do If Admin Cookie Stealed site Admin Password Can Be Stealed By Attacker  
If Password Not Strong To Much.  
==================================================  
POC 2:  
  
if admin cookie stealed by reason Anything If We Set Base64 Of Admin  
Password Like this :  
  
MTpfOjU4YjU0NDRjZjFiNjI1M2E0MzE3ZmUxMmRhZmY0MTFhNzhiZGEwYTk1Mjc5YjFkNTc2OGViZjVjYTYwODI5ZTc4ZGE5NDRlOGE5MTYwYTBiNmQ0MjhjYjIxM2U4MTM1MjVhNzI2NTBkYWM2N2I4ODg3OTM5NGZmNjI0ZGE0ODJmOl86c3BlY2lhbA==  
  
and set it on your self cookie you logged in as admin in site .  
  
Session Of Admin After Logged Out Never Will Be Expired .  
  
  
Discovered By : Arash Khazaei .  
`