MYRE Real Estate Mobile 2012|2 - Multiple Web Vulnerabilities

2012-05-01T00:00:00
ID 1337DAY-ID-18179
Type zdt
Reporter Benjamin K.M.
Modified 2012-05-01T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Title:
======
MYRE Real Estate Mobile 2012|2 - Multiple Web Vulnerabilities

Introduction:
=============
Best solution for a professional Real Estate management software. Try MYRE Real Estate Mobile Software, Real 
Estate ready-to-use software best solution for a professional Real Estate management software. Try MYRE Real 
Estate Software, Real Estate ready-to-use software. At MYRE Real Estate Software, we offer professional solutions 
for your Real Estate business needs, including turn-key operations. That\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s right, turn-key! Start your real 
estate business today with MYRE Real Estate Mobile Software and get into the real estate market the same day. 

    Businesses for sale
    Commercial properties for lease
    Commercial properties for sale
    Real estate properties for sale
    Real estate properties for rent
    Holiday rentals
    Or any combination

MYRE Real Estate Software provides a complete realty listing management solution. It is easily customized to reflect 
your creativity whether you are starting from scratch or integrating it into an existing web site. MYRE Real Estate 
Software can be used to promote residential as well as commercial rentals. This software is suitable for an 
independent agent site, or the listings section of your brokerage and/or real estate agency web site.

(Copy of the Vendor Homepage: http://www.myrephp.com &  http://myrephp.com/realestate/1_mobile/ )

Details:
========
1.1
Multiple remote SQL Injection vulnerabilities are detected in MYREs Real Estate Mobile Application (2012 Q2).
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands 
on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise.
The vulnerability is located on the link_idd & userid value of the mobile application.

Vulnerable Module(s):
				[+] Listings - Link_IDD
				[+] Agent Profile - UserID

1.2
Multiple non persistent cross site scripting vulnerabilities are detected in MYREs Real Estate Mobile Application (2012 Q2).
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with high required 
user inter action or local low privileged user account. Successful exploitation can result in account steal, phishing 
& client-side content request manipulation.

Vulnerable Module(s):
				[+] Search - bedrooms1
				[+] Search - price2



#  0day.today [2018-01-09]  #