Vulners
Lucene search
Real Estates Property CMS 2012 - Multiple Web Vulnerabilities
Title:
======
Real Estates Property CMS 2012 - Multiple Web Vulnerabilities
Introduction:
=============
Real Estate property is an online real-estate service committed to helping you make wise and profitable
decisions related to buying, selling, renting and leasing of properties, in India and key global geographies.
It will provide a fresh new approach to our esteemed users to search for properties to buy or rent, and
list their properties for selling or leasing.
(Copy of the Vendor Homepage: http://www.gharwhar.com)
Details:
========
1.1
A remote SQL Injection vulnerability is detected on Real Estates property website cms 2012 Q2.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands
on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise.
Vulnerable Module(s):
[+] Project-Shree_Balaji_-Ahmedabad-4
[+] property_listings_detail.php?listingid=12[
[+] my_account_edit_builder_project.php?id=37%27
[+] my_account_view_builder_project.php?id=37
--- SQL Exception Logs ---
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near \\\\\\\'Approved\\\\\\\' AND proj_featured=\\\\\\\'yes\\\\\\\'\\\\\\\' at line 1
-
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near Approved AND proj_featured= yes at line 1
-
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near 37 at line 1
1.2
A persistent input validation vulnerabilities are detected Real Estates property website cms 2012 Q2.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action.
Vulnerable Module(s):
[+] Create Object - Project Name / Title/Short Description/Project TypeProject Location / Address/Contact Person/Address
1.3 Arbiritrary File Upload
Arbitrary file upload vulnerability allows the attacker to upload different files that aren\\\\\\\'t images or pdf. The attacker can upload these files after, he/she remans them to file.php%00.jpg. The null byte get truncated and the the file file.php get uploaded
Vulnerable Module(s):
[+] Property Details - uploading propertied photos
[+] add profile photo
# 0day.today [2018-02-17] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 May 2012 00:00Current
7.1High risk
Vulners AI Score7.1