Widget Property Vuln.

2005-12-05T00:00:00
ID SECURITYVULNS:DOC:10528
Type securityvulns
Reporter Securityvulns
Modified 2005-12-05T00:00:00

Description

Widget Property Vuln. Vuln. dicovered by : r0t Date: 5 dec. 2005 Orginal advisory:http://pridels.blogspot.com/2005/12/widget-property-vuln.html vendor:http://www.widgetpress.com/products?product=wp affected version:1.1.19 and Easy,CSV,Lite versions.

Product Description: Easily manage all your listings in a turnkey database driven web application. Powerful server software with multi-user support, Upload multiple media files. Auto generation of PDF flyers with listing photos, Add featured properties, resume profiles, articles, Generate neighborhood profiles, area profiles, city profiles, area appreciation, utilities, schools, custom generated home page with photos, admin the entire site from anywhere in the world, and dynamic multi-language support. Agent dynamic Vcards. Publish property listings and articles in RSS real estate feeds. Auto syndicates real estate feeds with www.propertyrss.com. Comes with 1 year of Paid Subscriber API's to www.propertyrss.com. Publishes your properties to www.propertywalkthru.com, a free classified real estate site. Supports template interface with XHTML and CSS in a tableless environment.

Vuln. description: Input passed to the "property_id" "zip_code" "property_type_id" "price" "city_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Also input passed to the "lang" parameter in "property.php" isn't properly sanitised , attacker can get full path discoloure.

examples: /property.php?action=property&property_id=[SQL]

/property.php?action=search&city_id=&zip_code =[SQL]&price=&property_type_id=1&submit=submit

/property.php?action=search&city_id=&zip_code= &price=75000&property_type_id=[SQL]&submit=submit

/property.php?action=search&city_id=&zip_code= &price=[SQL]&property_type_id=&submit=submit

/property.php?action=search&city_id=[SQL]&zip_code= &price=&property_type_id=&submit=submit

/property.php?lang=r0t

Solution: Edit the source code to ensure that input is properly sanitised.