nGenuity Information Services » Realty http://www.ngenuity.org/wordpress Security for the A.D.D generation Wed, 10 Mar 2010 19:25:58 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 NGENUITY-2009-002 – Open-Realty SQL Injection http://www.ngenuity.org/wordpress/2009/01/27/ngenuity-2009-002-open-realty-sql-injection/ http://www.ngenuity.org/wordpress/2009/01/27/ngenuity-2009-002-open-realty-sql-injection/#comments Wed, 28 Jan 2009 05:22:56 +0000 Adam Baldwin http://www.ngenuity.org/wordpress/?p=98 nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2009-002
   Application: Open-Realty 2.5.5
        Vendor: Transparent Technologies,INC
Vendor website: http://www.transparent-tech.com/
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)

  I. BACKGROUND
     "Open-Realty® is an open source web based real estate listing management
application. It is intended to be both easy to setup and use. Written
in PHP, Open-Realty® is designed to be a fast and flexible tool for
your real estate website" [1]

 II. DETAILS
     A Blind SQL Injection vulnerability exists within Open-Realty that is
     exploitable by a user with admin or agent privileges.

     This vulnerability can be exploited by inserting specially crafted SQL
     into the edit form field in the image upload feature of Open-Realty.

     Successful exploitation of this vulnerability could result in extraction
     of data from the Open-Realty database.

III. VENDOR
     1.27.2009 - Version 2.5.6 has been released and addresses this vulnerability.

 VI. REFERENCES
     [1] - http://www.open-realty.org/
Copyright (c) 2008 nGenuity Information Services, LLC
]]> http://www.ngenuity.org/wordpress/2009/01/27/ngenuity-2009-002-open-realty-sql-injection/feed/ 0 NGENUITY-2009-001 – Open-Realty Multiple XSS Vulnerabilities http://www.ngenuity.org/wordpress/2008/12/31/ngenuity-2009-001-open-realty-multiple-xss-vulnerabilities/ http://www.ngenuity.org/wordpress/2008/12/31/ngenuity-2009-001-open-realty-multiple-xss-vulnerabilities/#comments Wed, 31 Dec 2008 18:17:11 +0000 Adam Baldwin http://www.ngenuity.org/wordpress/?p=88 nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2009-001
   Application: Open-Realty 2.5.5
        Vendor: Transparent Technologies,INC
Vendor website: http://www.transparent-tech.com/
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)

  I. BACKGROUND
     "Open-Realty® is an open source web based real estate listing management
application. It is intended to be both easy to setup and use. Written
in PHP, Open-Realty® is designed to be a fast and flexible tool for
your real estate website" [1]

 II. DETAILS
     Multiple reflected cross-site (xss) scripting vulnerabilities exist within
Open-Realty v2.5.5. These are due to user input being echoed back to the user
unaltered or properly encoded.

Reflected:

http://www.example.com/openrealty/index.php?action=contact_agent&listing_id=XSS&popup=yes

http://www.example.com/openrealty/index.php?action=contact_agent&popup=yes&agent_id=XSS

http://www.example.com/openrealty/index.php?action=calculator&price=XSS&popup=y

1.27.2009 - Version 2.5.6 has been released and addresses this vulnerability.

III. REFERENCES
     [1] - http://www.open-realty.org/
Copyright (c) 2008 nGenuity Information Services, LLC

 IV. EDITS
1/18/2008 - Vendor notification "releasing a new version of Open-Realty 2.5.6 this week to fix the XSS reflection vulnerabilities..."
1/20/2008 - Removed persistent section of advisory. Informed by the vendor that "There is an option to strip HTML from the
listing and agent fields when agents post in the Open-Realty  configuration, under Editor/Html. If that is on any html posted in a "
field by an agent will be removed."
1/27/2009 - Added vendor fix information.
]]> http://www.ngenuity.org/wordpress/2008/12/31/ngenuity-2009-001-open-realty-multiple-xss-vulnerabilities/feed/ 0