Multiple defects and repair of MYRE Real Estate Software

Title: MYRE Real Estate Software Multiple XSS and SQL Injection Vulnerabilities

Author: Sooraj K.S SecPod Technologies (www.2cto.com)
 

Overview:

---------

MYRE Real Estate Software is prone to multiple cross-site scripting and SQL

Injection vulnerabilities.

Technical analysis:

----------------------

MYRE Real Estate Software is prone to multiple cross-site scripting and SQL

Injection vulnerabilities because it fails to properly sanitise user-supplied

Input.

1) Input passed to the 'page' parameter in findagent. php is not properly

Sanitised before being used in SQL queries. This can be exploited to manipulate

SQL queries by injecting arbitrary SQL code.

2) Input passed to the 'country1', 'state1 ', and 'city1 'parameters in

Findagent. php is not properly verified before it is returned to the user.

This can be exploited to execute arbitrary HTML and script code in a user's

Browser session in the context of a vulnerable site. This may allow

Attacker to steal cookie-based authentication credentials and to launch

Other attacks.

Impact:

--------

Successful exploitation cocould allow an attacker to steal cookie-based

Authentication credentials, compromise the application, access or modify

Data, or exploit latent vulnerabilities in the underlying database.

Affected Software:

------------------

MYRE Real Estate Software

Reference:

---------

Http://myrephp.com

Http://secpod.org/blog? P = 346

Http://secpod.org/advisories/SECPOD_MRS_ SQL _XSS_Vuln.txt

Proof of Concept:

-----------------

1) SQL Injection

Http://www.bkjia.com/realestate/findagent. php? Page ='

2) XSS

(A) http://www.bkjia.com/realestate/findagent. php? Country1 = <script> alert (/XSS/) </script>

(B) http://www.bkjia.com/realestate/findagent. php? Country1 = & state1 = <script> alert (/XSS/) </script>

(C) http://www.bkjia.com/realestate/findagent. php? Country1 = & state1 = & city1 = <script> alert (/XSS/) </script>

Solution:

----------

Fix not available

Risk Factor:

-------------

CVSS Score Report:

ACCESS_VECTOR = NETWORK

ACCESS_COMPLEXITY = LOW

AUTHENTICATION = NONE

CONFIDENTIALITY_IMPACT = PARTIAL

INTEGRITY_IMPACT = PARTIAL

AVAILABILITY_IMPACT = PARTIAL

EXPLOITABILITY = PROOF_OF_CONCEPT

REMEDIATION_LEVEL = UNAVAILABLE

REPORT_CONFIDENCE = CONFIRMED

CVSS Base Score = 7.5 (HIGH) (AV: N/AC: L/Au: N/C: P/I: P/A: P)

Credits:

--------

Sooraj K.S of SecPod Technologies has been credited with the discovery of this

Vulnerability.