Seditio CMS 1.7.1 Password Disclosure

2015.07.28
Credit: Arash Khazaei
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[+] Exploit Title: Seditio CMS Multiple Vulnerabilities [+] Google Dork: intext:"Powered by Seditio CMS" [+] Date: 27/7/2015 [+] Exploit Author: Arash Khazaei [+] Vendor Homepage: http://www.seditiocms.com/ [+] Software Link: http://www.seditiocms.com/page.php?id=20&a=dl [+] Version: 1.7.1(Last Version) [+] Tested on: Kali , Windows [+] CVE : N/A =============================== Introduction : 1- a vulnerability in seditio cms reveal Admin Password For Attacker. 2- another Vulnerability in This CMS Is After Admin Logged Out Session Will Be Not Expired . =============================== Reaval Admin Password : POC 1: in seditio CMS If We Login With Remember Feature CMS Make COokies Like This : MTpfOjU4YjU0NDRjZjFiNjI1M2E0MzE3ZmUxMmRhZmY0MTFhNzhiZGEwYTk1Mjc5YjFkNTc2OGViZjVjYTYwODI5ZTc4ZGE5NDRlOGE5MTYwYTBiNmQ0MjhjYjIxM2U4MTM1MjVhNzI2NTBkYWM2N2I4ODg3OTM5NGZmNjI0ZGE0ODJmOl86c3BlY2lhbA== if we decode This base64 Encoded Text We Got This : 1:_:58b5444cf1b6253a4317fe12daff411a78bda0a95279b1d5768ebf5ca60829e78da944e8a9160a0b6d428cb213e813525a72650dac67b88879394ff624da482f:_:special If Look Between 1:_: We Have hashed Password Of Admin In This case Hashed Password Is admin1 . do If Admin Cookie Stealed site Admin Password Can Be Stealed By Attacker If Password Not Strong To Much. ================================================== POC 2: if admin cookie stealed by reason Anything If We Set Base64 Of Admin Password Like this : MTpfOjU4YjU0NDRjZjFiNjI1M2E0MzE3ZmUxMmRhZmY0MTFhNzhiZGEwYTk1Mjc5YjFkNTc2OGViZjVjYTYwODI5ZTc4ZGE5NDRlOGE5MTYwYTBiNmQ0MjhjYjIxM2U4MTM1MjVhNzI2NTBkYWM2N2I4ODg3OTM5NGZmNjI0ZGE0ODJmOl86c3BlY2lhbA== and set it on your self cookie you logged in as admin in site . Session Of Admin After Logged Out Never Will Be Expired . Discovered By : Arash Khazaei .


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top