0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Real Estates Property CMS 2012 - Multiple Web Vulnerabilities
Title: ====== Real Estates Property CMS 2012 - Multiple Web Vulnerabilities Introduction: ============= Real Estate property is an online real-estate service committed to helping you make wise and profitable decisions related to buying, selling, renting and leasing of properties, in India and key global geographies. It will provide a fresh new approach to our esteemed users to search for properties to buy or rent, and list their properties for selling or leasing. (Copy of the Vendor Homepage: http://www.gharwhar.com) Details: ======== 1.1 A remote SQL Injection vulnerability is detected on Real Estates property website cms 2012 Q2. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise. Vulnerable Module(s): [+] Project-Shree_Balaji_-Ahmedabad-4 [+] property_listings_detail.php?listingid=12[ [+] my_account_edit_builder_project.php?id=37%27 [+] my_account_view_builder_project.php?id=37 --- SQL Exception Logs --- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \\\\\\\'Approved\\\\\\\' AND proj_featured=\\\\\\\'yes\\\\\\\'\\\\\\\' at line 1 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near Approved AND proj_featured= yes at line 1 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 37 at line 1 1.2 A persistent input validation vulnerabilities are detected Real Estates property website cms 2012 Q2. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action. Vulnerable Module(s): [+] Create Object - Project Name / Title/Short Description/Project TypeProject Location / Address/Contact Person/Address 1.3 Arbiritrary File Upload Arbitrary file upload vulnerability allows the attacker to upload different files that aren\\\\\\\'t images or pdf. The attacker can upload these files after, he/she remans them to file.php%00.jpg. The null byte get truncated and the the file file.php get uploaded Vulnerable Module(s): [+] Property Details - uploading propertied photos [+] add profile photo # 0day.today [2024-09-28] #