Open Real Estate 1.15.1 XSS / SQL Injection / Weak Hashing
Posted on 10 February 2016
Introduction: Open Real Estate is an open source CMS for managing estate agent websites. It is written in PHP and uses the YII CMF. It supports multiple languages. It is supported by MonoRay.net The product has a number of commercial support offerings available and an internal market for extensions. http://open-real-estate.info/ The core application was examined using Burp Suite Pro, SQLmap, and manual inspection (no extensions were examined). A number of vulnerabilities in version 1.15.1 were notified to info@monoray.net on 2015-12-25. No acknowledgement or correspondence was received in response to this notification. Version 1.15.2 was released on 2016-01-12 Version 1.15.3 was released on 2016-01-31 The code for 1.15.3 includes fixes that appear to address the most serious of these vulnerabilities, users should upgrade to 1.15.3, and should perform a further review of their website's security. The objType parameter in the search query was susceptible to blind sql injection allowing unauthenticated user to download the database’s contents (including password hashes and client details). The objType parameter was also susceptible to a reflected XSS attack, as it is injected directly into JavaScript the XSS works on browsers with XSS auditors (Chrome), as well as those without (Firefox). http://192.168.56.101/search?city[]=7&apType=1&objType=141893%3balert%281%29%2f%2f748&price_min=25&price_max=185000&square_min=35&square_max=350&rooms=0&floor_min=0&floor_max=30&do-term-search=0&sApId=&ot= The 1.15.3 code now has additional tests that the objType parameter is an integer, I have not confirmed the fix is correct. The tag parameter to the news page was vulnerable to reflected XSS. http://192.168.56.101/news?tag=%D0%BD%D0%BE%D0%B2%D0%BE%D1%81%D1%82%D0%B83cebf%3Cscript%3Ealert%281%29%3C%2fscript%3E12d03 I have not established if this is addressed in 1.15.3 The program deploys its own password hash based on one round of MD5 with salting, and a static string. The authors advise users to change the static salt add-on string, see: http://open-real-estate.info/en/settings-and-security-tuning The is very weak password hashing by modern standards, the static salt add-on only adds significant strength if it were long and strong and not compromised when the password hashes were compromised. The password hash method appears unchanged in 1.15.3. Extract from protected/models/User.php private static $_saltAddon = 'openre'; ... public static function hashPassword($password, $salt) { return md5($salt . $password . $salt . self::$_saltAddon); } It was noted that the YII framework 1.1.16 CSRF prevention token cookie value was inserted into JavaScript without further validating it, this would enable any cookie forcing attacks to escalate quickly to XSS, and seems ill advised for want of one regular expression. The issue was previously discussed in the YII bug tracker but not addressed, as of itself it is not an exploit. There was also some good discussion about whether using cookies as a store for CSRF tokens is a desirable practice; storing the CSRF token in the server’s session would seem preferable, propagating the value beyond the essential places would seem to place it at risk of being compromised and CSRF protection to thus fail.