Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Multiple vulnerabilities in Open Real Estate v 1.15.1

From: "Simon Waters (Surevine)" <simon.waters () surevine com>
Date: Fri, 5 Feb 2016 23:11:04 +0000
Introduction: Open Real Estate is an open source CMS for managing estate agent websites.

It is written in PHP and uses the YII CMF. It supports multiple languages.

It is supported by MonoRay.net 

The product has a number of commercial support offerings available and an internal market for extensions.

http://open-real-estate.info/


The core application was examined using Burp Suite Pro, SQLmap, and manual inspection (no extensions were examined).

A number of vulnerabilities in version 1.15.1 were notified to info () monoray net on 2015-12-25.

No acknowledgement or correspondence was received in response to this notification.

Version 1.15.2 was released on 2016-01-12

Version 1.15.3 was released on 2016-01-31

The code for 1.15.3 includes fixes that appear to address the most serious of these vulnerabilities, users should 
upgrade to 1.15.3, and should perform a further review of their website's security.



The objType parameter in the search query was susceptible to blind sql injection allowing unauthenticated user to 
download the database’s contents (including password hashes and client details).

The objType parameter was also susceptible to a reflected XSS attack, as it is injected directly into JavaScript the 
XSS works on browsers with XSS auditors (Chrome), as well as those without (Firefox).

http://192.168.56.101/search?city[]=7&apType=1&objType=141893%3balert%281%29%2f%2f748&price_min=25&price_max=185000&square_min=35&square_max=350&rooms=0&floor_min=0&floor_max=30&do-term-search=0&sApId=&ot=

The 1.15.3 code now has additional tests that the objType parameter is an integer, I have not confirmed the fix is 
correct.


The tag parameter to the news page was vulnerable to reflected XSS.

http://192.168.56.101/news?tag=%D0%BD%D0%BE%D0%B2%D0%BE%D1%81%D1%82%D0%B83cebf%3Cscript%3Ealert%281%29%3C%2fscript%3E12d03

I have not established if this is addressed in 1.15.3


The program deploys its own password hash based on one round of MD5 with salting, and a static string. 

The authors advise users to change the static salt add-on string, see: 
http://open-real-estate.info/en/settings-and-security-tuning 

The is very weak password hashing by modern standards, the static salt add-on only adds significant strength if it were 
long and strong and not compromised when the password hashes were compromised.

The password hash method appears unchanged in 1.15.3.
        
Extract from protected/models/User.php
        private static $_saltAddon = 'openre';
        ...
        public static function hashPassword($password, $salt) {
                return md5($salt . $password . $salt . self::$_saltAddon);
        }


It was noted that the YII framework 1.1.16 CSRF prevention token cookie value was inserted into JavaScript without 
further validating it, this would enable any cookie forcing attacks to escalate quickly to XSS, and seems ill advised 
for want of one regular expression. The issue was previously discussed in the YII bug tracker but not addressed, as of 
itself it is not an exploit. There was also some good discussion about whether using cookies as a store for CSRF tokens 
is a desirable practice; storing the CSRF token in the server’s session would seem preferable, propagating the value 
beyond the essential places would seem to place it at risk of being compromised and CSRF protection to thus fail.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: