← Advisories

RealtyScript v4.0.2 Multiple Time-based Blind SQL Injection Vulnerabilities

Medium
Advisory ID
ZSL-2015-5270
Release Date
19 October 2015
Vendor
Next Click Ventures - http://www.realtyscript.com
Affected Version
4.0.2
CVE
CVE-2015-20120, CVE-2015-20121
Tested On
Apache/2.4.6 (CentOS), PHP/5.4.16, MariaDB-5.5.41
Summary

RealtyScript is award-winning real estate software that makes it effortless for a real estate agent, office, or entrepreneur to be up and running with a real estate web site in minutes. The software is in daily use on thousands of domain names in over 40 countries and has been translated into over 25 languages.

Description

RealtyScript suffers from multiple SQL Injection vulnerabilities. Input passed via the GET parameter 'u_id' and the POST parameter 'agent[]' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Proof of Concept
realtyscript_sqli.txtTXT
Disclosure Timeline
01.10.2015Vulnerability discovered.
08.10.2015Vendor contacted.
18.10.2015No response from the vendor.
19.10.2015Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/38497/
[2]https://packetstormsecurity.com/files/134017
[3]https://cxsecurity.com/issue/WLB-2015100132
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/107425
[5]https://www.cve.org/CVERecord?id=CVE-2015-20120
[6]https://www.cve.org/CVERecord?id=CVE-2015-20121
Changelog
19.10.2015Initial release
21.10.2015Added reference [2] and [3]
31.10.2015Added reference [4]
24.03.2026Added reference [5] and [6]