Seditio Cross Site Scripting Vulnerability May 24 2006 03:18PM
mail yunusemreyilmaz com
Advisory : Cross Site Scripting in Seditio (http://www.neocrome.net)

Release Date : 24/05/2005

Last Modified : 24/05/2005

Author : Yunus Emre Yilmaz ( http://yns.zaxaz.com)

Application : Seditio v102 ( maybe older versions)

Risk : Critical

Problem :

Ldu's logging all referer info for administrator.If an attacker change the referer value with malicious

js codes, the code will be executed in administration page.Referer info is coming from user and can be changed as everything.

Proof Of Concept :

I wrote a simple exploit which can be downloaded from here : http://yns.zaxaz.com/exploits/seditio-exploit.rar

Solution :

I wrote an unofficial security patch which can be downloaded from here : http://yns.zaxaz.com/security-patches/security-patches-seditio-v102-xss-
patch.rar

(For offical patches : www.neocrome.net)

Original Advisory :

http://yns.zaxaz.com/advisories/seditio.txt

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus