Seditio CMS 1.7.1 Password Disclosure Vulnerability

[+] Exploit Title: Seditio CMS Multiple Vulnerabilities
[+] Google Dork: intext:"Powered by Seditio CMS"
[+] Date: 27/7/2015
[+] Exploit Author: Arash Khazaei
[+] Vendor Homepage: http://www.seditiocms.com/
[+] Software Link: http://www.seditiocms.com/page.php?id=20&a=dl
[+] Version: 1.7.1(Last Version)
[+] Tested on: Kali , Windows
[+] CVE : N/A

===============================
Introduction :
1- a vulnerability in seditio cms reveal Admin Password For Attacker.
2- another Vulnerability in This CMS Is After Admin Logged Out Session Will Be Not Expired .
===============================
Reaval Admin Password :
POC 1:
in seditio CMS If We Login With Remember Feature CMS Make COokies Like This :

MTpfOjU4YjU0NDRjZjFiNjI1M2E0MzE3ZmUxMmRhZmY0MTFhNzhiZGEwYTk1Mjc5YjFkNTc2OGViZjVjYTYwODI5ZTc4ZGE5NDRlOGE5MTYwYTBiNmQ0MjhjYjIxM2U4MTM1MjVhNzI2NTBkYWM2N2I4ODg3OTM5NGZmNjI0ZGE0ODJmOl86c3BlY2lhbA==

if we decode This base64 Encoded Text We Got This :

1:_:58b5444cf1b6253a4317fe12daff411a78bda0a95279b1d5768ebf5ca60829e78da944e8a9160a0b6d428cb213e813525a72650dac67b88879394ff624da482f:_:special

If Look Between 1:_: We Have hashed Password Of Admin In This case Hashed Password Is admin1 .

do If Admin Cookie Stealed site Admin Password Can Be Stealed By Attacker If Password Not Strong To Much.
==================================================
POC 2:

if admin cookie stealed by reason Anything If We Set Base64 Of Admin
Password Like this :

MTpfOjU4YjU0NDRjZjFiNjI1M2E0MzE3ZmUxMmRhZmY0MTFhNzhiZGEwYTk1Mjc5YjFkNTc2OGViZjVjYTYwODI5ZTc4ZGE5NDRlOGE5MTYwYTBiNmQ0MjhjYjIxM2U4MTM1MjVhNzI2NTBkYWM2N2I4ODg3OTM5NGZmNjI0ZGE0ODJmOl86c3BlY2lhbA==

and set it on your self cookie you logged in as admin in site .

Session Of Admin After Logged Out Never Will Be Expired .


Discovered By : Arash Khazaei .

#  0day.today [2018-04-05]  #