by r0t,der4444,cembo,VietMafia

Monday, December 05, 2005

Widget Property Vuln.

Widget Property Vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.widgetpress.com/products?product=wp
affected version:1.1.19 and Easy,CSV,Lite versions.


Product Description:
Easily manage all your listings in a turnkey database driven web application. Powerful server software with multi-user support, Upload multiple media files. Auto generation of PDF flyers with listing photos, Add featured properties, resume profiles, articles, Generate neighborhood profiles, area profiles, city profiles, area appreciation, utilities, schools, custom generated home page with photos, admin the entire site from anywhere in the world, and dynamic multi-language support. Agent dynamic Vcards. Publish property listings and articles in RSS real estate feeds. Auto syndicates real estate feeds with www.propertyrss.com. Comes with 1 year of Paid Subscriber API's to www.propertyrss.com. Publishes your properties to www.propertywalkthru.com, a free classified real estate site. Supports template interface with XHTML and CSS in a tableless environment.

Vuln. description:
Input passed to the "property_id" "zip_code" "property_type_id" "price" "city_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Also input passed to the "lang" parameter in "property.php" isn't properly sanitised , attacker can get full path discoloure.

examples:
/property.php?action=property&property_id=[SQL]

/property.php?action=search&city_id=&zip_code
=[SQL]&price=&property_type_id=1&submit=submit

/property.php?action=search&city_id=&zip_code=
&price=75000&property_type_id=[SQL]&submit=submit

/property.php?action=search&city_id=&zip_code=
&price=[SQL]&property_type_id=&submit=submit

/property.php?action=search&city_id=[SQL]&zip_code=
&price=&property_type_id=&submit=submit


/property.php?lang=r0t

Solution:
Edit the source code to ensure that input is properly sanitised.

7 Comments:

Anonymous Anonymous told...

what error does the lang=r0t generate? there might be a ".." directory traversal

5:41 AM

 
Blogger r0t told...

yes:

"
Also input passed to the "lang" parameter in "property.php" isn't properly sanitised , attacker can get full path discoloure. "

6:24 AM

 
Anonymous real estate listings told...

You have a great website here, and I'm going to tell all my friends about it.

3:08 PM

 
Anonymous real estate listings told...

You have a great website here, and I'm going to tell all my friends about it.

3:15 PM

 
Anonymous real estate listings told...

You have a great website here, and I'm going to tell all my friends about it.

3:28 PM

 
Anonymous real estate listings told...

You have a great website here, and I'm going to tell all my friends about it.

4:11 PM

 
Anonymous real estate listings told...

You have a great website here, and I'm going to tell all my friends about it.

4:34 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew