Real Estate Portal v4.1 Remote Code Execution and Persistent XSS Vulnerabilities

Title: Real Estate Portal v4.1 Remote Code Execution and Persistent XSS Vulnerabilities
Advisory ID: ZSL-2016-5325
Type: Local/Remote
Impact: Cross-Site Scripting, System Access
Risk: (4/5)
Release Date: 25.05.2016
Summary
Real Estate Portal is a software written in PHP, allowing you to launch powerful and professional looking real estate portals with rich functionalities for the private sellers, buyers and real estate agents to list properties for sale or rent, search in the database, show featured ads and many others. The private sellers can manage their ads at any time through their personal administration space.
Description
Real Estate Portal suffers from an arbitrary file upload vulnerability leading to an arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/upload.php' script thru the 'myfile' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php' extension that will be stored in the '/uploads' directory. Multiple persistent cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple POST parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
NetArt Media - http://www.netartmedia.net
Affected Version
4.1
Tested On
nginx/1.10.0
PHP/5.2.17
MySQL/5.1.66
Vendor Status
[06.05.2016] Vulnerability discovered.
[09.05.2016] Vendor contacted.
[24.05.2016] No response received from the vendor.
[25.05.2016] Public security advisory released.
PoC
realestateportal_mv.txt
Credits
Vulnerability discovered by Bikramaditya Guha - <bik@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/39855/
[2] https://cxsecurity.com/issue/WLB-2016050132
[3] https://cxsecurity.com/issue/WLB-2016050135
[4] https://packetstormsecurity.com/files/137203
[5] https://packetstormsecurity.com/files/137204
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/113538
[7] https://exchange.xforce.ibmcloud.com/vulnerabilities/113539
Changelog
[25.05.2016] - Initial release
[26.05.2016] - Added reference [1]
[27.05.2016] - Added reference [2] and [3]
[28.05.2016] - Added reference [4] and [5]
[29.05.2016] - Added reference [6] and [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk