Advertisement






Seditio CMS Multiple Vulnerabilities.

CVE Category Price Severity
CVE-2021-27149 CWE-79 Not specified High
Author Risk Exploitation Type Date
Berk KIRAS High Remote 2017-03-18
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017030160

Below is a copy:

Seditio CMS Multiple Vulnerabilities.############################################
# Exploit Title  : Seditio CMS Multiple Vulnerabilities.
# Exploit Author : Ashiyane Digital Security Team 
# Vendor Homepage: www.seditiocms.com
# Google Dork    : intext:Powered by Seditio CMS
# Software Link  : http://www.seditiocms.com/datas/users/1/1-10d40e-sed-en.rar
# Date           : 2017 18 March
# CVE            : N/A
# Tested On      : Linux - Chrome
# Category       : Web Application
# MY HOME        : Ashiyane.org 
# 
############################################
## Seditio CMS SQL And Xss Vulnerabilities 
## Research By Ashiyane Digital Security Team.
## Directory : (include) system/core/page/page.print.inc.php   
############################################

                                # # # # # # # # # # # #
                                # Vulnerability Code  #
                                # # # # # # # # # # # #

<?PHP

/* ====================
Seditio - Website engine
Copyright Neocrome
http://www.seditiocms.com
[BEGIN_SED]
File=page.print.inc.php
Version=171
Updated=2013-mar-05
Type=Core
Author=Neocrome
Description=Pages
[END_SED]
==================== */

if (!defined('SED_CODE')) { die('Wrong URL.'); }

list($usr['auth_read'], $usr['auth_write'], $usr['isadmin']) = sed_auth('page', 'any');
sed_block($usr['auth_read']);

$id = sed_import('id','G','INT');
$al = sed_import('al','G','ALP');
$r = sed_import('r','G','ALP');
$c = sed_import('c','G','TXT');
$pg = sed_import('pg','G','INT');

/* === Hook === */
$extp = sed_getextplugins('page.first');
if (is_array($extp))
{ foreach($extp as $k => $pl) { include('plugins/'.$pl['pl_code'].'/'.$pl['pl_file'].'.php'); } }
/* ===== */

if (!empty($al))
{ $sql = sed_sql_query("SELECT p.*, u.user_name, u.user_avatar FROM $db_pages AS p
LEFT JOIN $db_users AS u ON u.user_id=p.page_ownerid
WHERE page_alias='$al' LIMIT 1"); }
else
{ $sql = sed_sql_query("SELECT p.*, u.user_name, u.user_avatar FROM $db_pages AS p
LEFT JOIN $db_users AS u ON u.user_id=p.page_ownerid
WHERE page_id='$id'"); }

sed_die(sed_sql_numrows($sql)==0);
$pag = sed_sql_fetcharray($sql);

$pag['page_date'] = @date($cfg['dateformat'], $pag['page_date'] + $usr['timezone'] * 3600);
$pag['page_begin'] = @date($cfg['dateformat'], $pag['page_begin'] + $usr['timezone'] * 3600);
$pag['page_expire'] = @date($cfg['dateformat'], $pag['page_expire'] + $usr['timezone'] * 3600);
$pag['page_tab'] = (empty($pg)) ? 1 : $pg;
$pag['page_pageurl'] = (empty($pag['page_alias'])) ? "page.php?id=".$pag['page_id'] : "page.php?al=".$pag['page_alias'];


$catpath = sed_build_catpath($pag['page_cat'], "<a href=\"list.php?c=%1\$s\">%2\$s</a>");
$pag['page_fulltitle'] = $catpath." ".$cfg['separator']." <a href=\"".$pag['page_pageurl']."\">".$pag['page_title']."</a>";
$pag['page_fulltitle'] .= ($pag['page_totaltabs']>1 && !empty($pag['page_tabtitle'][$pag['page_tab']-1])) ? " (".$pag['page_tabtitle'][$pag['page_tab']-1].")" : '';


$item_code = 'p'.$pag['page_id'];

list($comments_link, $comments_display, $comments_count) = sed_build_comments($item_code, $pag['page_pageurl'], $comments);


$sys['sublocation'] = $sed_cat[$c]['title'];
$out['subtitle'] = $pag['page_title'];

/* === Hook === */
$extp = sed_getextplugins('page.main');
if (is_array($extp))
{ foreach($extp as $k => $pl) { include('plugins/'.$pl['pl_code'].'/'.$pl['pl_file'].'.php'); } }
/* ===== */


$t = new XTemplate("skins/".$skin."/page.print.tpl");

$t->assign(array(
"PAGE_ID" => $pag['page_id'],
"PAGE_STATE" => $pag['page_state'],
"PAGE_EXECUTE" => $pag['page_execute'],
"PAGE_TITLE" => $pag['page_fulltitle'],
"PAGE_TITLEURL" => $cfg['mainurl']."/page.php?id=".$id,
"PAGE_SHORTTITLE" => $pag['page_title'],
"PAGE_CAT" => $pag['page_cat'],
"PAGE_CATTITLE" => $sed_cat[$pag['page_cat']]['title'],
"PAGE_CATPATH" => $catpath,
"PAGE_CATDESC" => $sed_cat[$pag['page_cat']]['desc'],
"PAGE_CATICON" => $sed_cat[$pag['page_cat']]['icon'],
"PAGE_KEY" => $pag['page_key'],
"PAGE_EXTRA1" => $pag['page_extra1'],
"PAGE_EXTRA2" => $pag['page_extra2'],
"PAGE_EXTRA3" => $pag['page_extra3'],
"PAGE_EXTRA4" => $pag['page_extra4'],
"PAGE_EXTRA5" => $pag['page_extra5'],
"PAGE_DESC" => $pag['page_desc'],
"PAGE_AUTHOR" => $pag['page_author'],
"PAGE_OWNER" => sed_build_user($pag['page_ownerid'], sed_cc($pag['user_name'])),
"PAGE_AVATAR" => sed_build_userimage($pag['user_avatar']),
"PAGE_DATE" => $pag['page_date'],
"PAGE_BEGIN" => $pag['page_begin'],
"PAGE_EXPIRE" => $pag['page_expire'],
"PAGE_COMMENTS" => $comments_link,
));

if($pag['page_totaltabs']>1)
{
$t->assign(array(
"PAGE_MULTI_TABNAV" => $pag['page_tabnav'],
"PAGE_MULTI_TABTITLES" => $pag['page_tabtitles'],
"PAGE_MULTI_CURTAB" => $pag['page_tab'],
"PAGE_MULTI_MAXTAB" => $pag['page_totaltabs']
));
$t->parse("MAIN.PAGE_MULTI");
}

if ($usr['isadmin'])
{
$t-> assign(array(
"PAGE_ADMIN_COUNT" => $pag['page_count'],
"PAGE_ADMIN_UNVALIDATE" => "<a href=\"admin.php?m=page&amp;s=queue&amp;a=unvalidate&amp;id=".$pag['page_id']."&amp;".sed_xg()."\">".$L['Putinvalidationqueue']."</a>",
"PAGE_ADMIN_EDIT" => "<a href=\"page.php?m=edit&amp;id=".$pag['page_id']."&amp;r=list\">".$L['Edit']."</a>"
));

$t->parse("MAIN.PAGE_ADMIN");
}

switch($pag['page_type'])
{
case '1':
$t->assign("PAGE_TEXT", $pag['page_text']);
break;

case '2':

if ($cfg['allowphp_pages'] && $cfg['allowphp_override'])
{
ob_start();
eval($pag['page_text']);
$t->assign("PAGE_TEXT", ob_get_clean());
}
       else
{
$t->assign("PAGE_TEXT", "The PHP mode is disabled for pages.<br />Please see the administration panel, then \"Configuration\", then \"Parsers\".");
}
break;

default:
$t->assign("PAGE_TEXT",sed_parse(sed_cc($pag['page_text']), $cfg['parsebbcodepages'], $cfg['parsesmiliespages'], 1));
break;
}

if($pag['page_file'])
{
if (!empty($pag['page_url']))
{
$dotpos = strrpos($pag['page_url'],".")+1;
$pag['page_fileicon'] = "system/img/pfs/".strtolower(substr($pag['page_url'], $dotpos, 5)).".gif";
if (!file_exists($pag['page_fileicon']))
{ $pag['page_fileicon'] = "system/img/admin/page.gif"; }
$pag['page_fileicon'] = "<img src=\"".$pag['page_fileicon']."\" alt=\"\">";
}
else
{ $pag['page_fileicon'] = ''; }

$t->assign(array(
"PAGE_FILE_URL" => "page.php?id=".$pag['page_id']."&amp;a=dl",
"PAGE_FILE_SIZE" => $pag['page_size'],
"PAGE_FILE_COUNT" => $pag['page_filecount'],
"PAGE_FILE_ICON" => $pag['page_fileicon']
));
$t->parse("MAIN.PAGE_FILE");
}

$t->assign(array (
"HEADER_TITLE" => $cfg['maintitle']." ".$cfg['separator']." ".$pag['page_title']." :: ".$L['plu_title'],
));

$t->parse("MAIN");
$t->out("MAIN");






?>

################################################
# Discovered By : Hassan Shakeri 
# Twitter : @ShakeriHassan - Fb.com/General.BlackHat - [email protected]
#######################################################

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum