Seditio CMS Multiple Vulnerabilities.

2017.03.18
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

############################################ # Exploit Title : Seditio CMS Multiple Vulnerabilities. # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage: www.seditiocms.com # Google Dork : intext:Powered by Seditio CMS # Software Link : http://www.seditiocms.com/datas/users/1/1-10d40e-sed-en.rar # Date : 2017 18 March # CVE : N/A # Tested On : Linux - Chrome # Category : Web Application # MY HOME : Ashiyane.org # ############################################ ## Seditio CMS SQL And Xss Vulnerabilities ## Research By Ashiyane Digital Security Team. ## Directory : (include) system/core/page/page.print.inc.php ############################################ # # # # # # # # # # # # # Vulnerability Code # # # # # # # # # # # # # <?PHP /* ==================== Seditio - Website engine Copyright Neocrome http://www.seditiocms.com [BEGIN_SED] File=page.print.inc.php Version=171 Updated=2013-mar-05 Type=Core Author=Neocrome Description=Pages [END_SED] ==================== */ if (!defined('SED_CODE')) { die('Wrong URL.'); } list($usr['auth_read'], $usr['auth_write'], $usr['isadmin']) = sed_auth('page', 'any'); sed_block($usr['auth_read']); $id = sed_import('id','G','INT'); $al = sed_import('al','G','ALP'); $r = sed_import('r','G','ALP'); $c = sed_import('c','G','TXT'); $pg = sed_import('pg','G','INT'); /* === Hook === */ $extp = sed_getextplugins('page.first'); if (is_array($extp)) { foreach($extp as $k => $pl) { include('plugins/'.$pl['pl_code'].'/'.$pl['pl_file'].'.php'); } } /* ===== */ if (!empty($al)) { $sql = sed_sql_query("SELECT p.*, u.user_name, u.user_avatar FROM $db_pages AS p LEFT JOIN $db_users AS u ON u.user_id=p.page_ownerid WHERE page_alias='$al' LIMIT 1"); } else { $sql = sed_sql_query("SELECT p.*, u.user_name, u.user_avatar FROM $db_pages AS p LEFT JOIN $db_users AS u ON u.user_id=p.page_ownerid WHERE page_id='$id'"); } sed_die(sed_sql_numrows($sql)==0); $pag = sed_sql_fetcharray($sql); $pag['page_date'] = @date($cfg['dateformat'], $pag['page_date'] + $usr['timezone'] * 3600); $pag['page_begin'] = @date($cfg['dateformat'], $pag['page_begin'] + $usr['timezone'] * 3600); $pag['page_expire'] = @date($cfg['dateformat'], $pag['page_expire'] + $usr['timezone'] * 3600); $pag['page_tab'] = (empty($pg)) ? 1 : $pg; $pag['page_pageurl'] = (empty($pag['page_alias'])) ? "page.php?id=".$pag['page_id'] : "page.php?al=".$pag['page_alias']; $catpath = sed_build_catpath($pag['page_cat'], "<a href=\"list.php?c=%1\$s\">%2\$s</a>"); $pag['page_fulltitle'] = $catpath." ".$cfg['separator']." <a href=\"".$pag['page_pageurl']."\">".$pag['page_title']."</a>"; $pag['page_fulltitle'] .= ($pag['page_totaltabs']>1 && !empty($pag['page_tabtitle'][$pag['page_tab']-1])) ? " (".$pag['page_tabtitle'][$pag['page_tab']-1].")" : ''; $item_code = 'p'.$pag['page_id']; list($comments_link, $comments_display, $comments_count) = sed_build_comments($item_code, $pag['page_pageurl'], $comments); $sys['sublocation'] = $sed_cat[$c]['title']; $out['subtitle'] = $pag['page_title']; /* === Hook === */ $extp = sed_getextplugins('page.main'); if (is_array($extp)) { foreach($extp as $k => $pl) { include('plugins/'.$pl['pl_code'].'/'.$pl['pl_file'].'.php'); } } /* ===== */ $t = new XTemplate("skins/".$skin."/page.print.tpl"); $t->assign(array( "PAGE_ID" => $pag['page_id'], "PAGE_STATE" => $pag['page_state'], "PAGE_EXECUTE" => $pag['page_execute'], "PAGE_TITLE" => $pag['page_fulltitle'], "PAGE_TITLEURL" => $cfg['mainurl']."/page.php?id=".$id, "PAGE_SHORTTITLE" => $pag['page_title'], "PAGE_CAT" => $pag['page_cat'], "PAGE_CATTITLE" => $sed_cat[$pag['page_cat']]['title'], "PAGE_CATPATH" => $catpath, "PAGE_CATDESC" => $sed_cat[$pag['page_cat']]['desc'], "PAGE_CATICON" => $sed_cat[$pag['page_cat']]['icon'], "PAGE_KEY" => $pag['page_key'], "PAGE_EXTRA1" => $pag['page_extra1'], "PAGE_EXTRA2" => $pag['page_extra2'], "PAGE_EXTRA3" => $pag['page_extra3'], "PAGE_EXTRA4" => $pag['page_extra4'], "PAGE_EXTRA5" => $pag['page_extra5'], "PAGE_DESC" => $pag['page_desc'], "PAGE_AUTHOR" => $pag['page_author'], "PAGE_OWNER" => sed_build_user($pag['page_ownerid'], sed_cc($pag['user_name'])), "PAGE_AVATAR" => sed_build_userimage($pag['user_avatar']), "PAGE_DATE" => $pag['page_date'], "PAGE_BEGIN" => $pag['page_begin'], "PAGE_EXPIRE" => $pag['page_expire'], "PAGE_COMMENTS" => $comments_link, )); if($pag['page_totaltabs']>1) { $t->assign(array( "PAGE_MULTI_TABNAV" => $pag['page_tabnav'], "PAGE_MULTI_TABTITLES" => $pag['page_tabtitles'], "PAGE_MULTI_CURTAB" => $pag['page_tab'], "PAGE_MULTI_MAXTAB" => $pag['page_totaltabs'] )); $t->parse("MAIN.PAGE_MULTI"); } if ($usr['isadmin']) { $t-> assign(array( "PAGE_ADMIN_COUNT" => $pag['page_count'], "PAGE_ADMIN_UNVALIDATE" => "<a href=\"admin.php?m=page&amp;s=queue&amp;a=unvalidate&amp;id=".$pag['page_id']."&amp;".sed_xg()."\">".$L['Putinvalidationqueue']."</a>", "PAGE_ADMIN_EDIT" => "<a href=\"page.php?m=edit&amp;id=".$pag['page_id']."&amp;r=list\">".$L['Edit']."</a>" )); $t->parse("MAIN.PAGE_ADMIN"); } switch($pag['page_type']) { case '1': $t->assign("PAGE_TEXT", $pag['page_text']); break; case '2': if ($cfg['allowphp_pages'] && $cfg['allowphp_override']) { ob_start(); eval($pag['page_text']); $t->assign("PAGE_TEXT", ob_get_clean()); } else { $t->assign("PAGE_TEXT", "The PHP mode is disabled for pages.<br />Please see the administration panel, then \"Configuration\", then \"Parsers\"."); } break; default: $t->assign("PAGE_TEXT",sed_parse(sed_cc($pag['page_text']), $cfg['parsebbcodepages'], $cfg['parsesmiliespages'], 1)); break; } if($pag['page_file']) { if (!empty($pag['page_url'])) { $dotpos = strrpos($pag['page_url'],".")+1; $pag['page_fileicon'] = "system/img/pfs/".strtolower(substr($pag['page_url'], $dotpos, 5)).".gif"; if (!file_exists($pag['page_fileicon'])) { $pag['page_fileicon'] = "system/img/admin/page.gif"; } $pag['page_fileicon'] = "<img src=\"".$pag['page_fileicon']."\" alt=\"\">"; } else { $pag['page_fileicon'] = ''; } $t->assign(array( "PAGE_FILE_URL" => "page.php?id=".$pag['page_id']."&amp;a=dl", "PAGE_FILE_SIZE" => $pag['page_size'], "PAGE_FILE_COUNT" => $pag['page_filecount'], "PAGE_FILE_ICON" => $pag['page_fileicon'] )); $t->parse("MAIN.PAGE_FILE"); } $t->assign(array ( "HEADER_TITLE" => $cfg['maintitle']." ".$cfg['separator']." ".$pag['page_title']." :: ".$L['plu_title'], )); $t->parse("MAIN"); $t->out("MAIN"); ?> ################################################ # Discovered By : Hassan Shakeri # Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir #######################################################

References:

http://www.seditiocms.com/datas/users/1/1-10d40e-sed-en.rar
Twitter.com/ShakeriHassan


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top