nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2009-002
   Application: Open-Realty 2.5.5
        Vendor: Transparent Technologies,INC
Vendor website: http://www.transparent-tech.com/
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)

  I. BACKGROUND
     "Open-Realty® is an open source web based real estate listing management
application. It is intended to be both easy to setup and use. Written
in PHP, Open-Realty® is designed to be a fast and flexible tool for
your real estate website" [1]

 II. DETAILS
     A Blind SQL Injection vulnerability exists within Open-Realty that is
     exploitable by a user with admin or agent privileges.

     This vulnerability can be exploited by inserting specially crafted SQL
     into the edit form field in the image upload feature of Open-Realty.

     Successful exploitation of this vulnerability could result in extraction
     of data from the Open-Realty database.

III. VENDOR
     1.27.2009 - Version 2.5.6 has been released and addresses this vulnerability.

 VI. REFERENCES
     [1] - http://www.open-realty.org/
Copyright (c) 2008 nGenuity Information Services, LLC