MLS Property Finder Improper Access Control Vulnerability

2013-03-07 / 2013-03-08
Credit: X-Cisadane
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: intext:How can MLS Property Finder benefit you OR inurl:/register.asp?agentid=

=========================================================== MLS Property Finder Improper Access Control Vulnerability =========================================================== :---------------------: : # Exploit Title : MLS Property Finder Improper Access Control Vulnerability : # Date : 08 March 2013 : # Author : X-Cisadane : # Vendor : http://www.mlspropertyfinder.com/ AND http://www.rls2000.com/ : # Version : All Versions : # Category : Web Applications : # Vulnerability : Improper Access Control Vulnerability : # Tested On : Google Chrome 24.0.1312.52 m (Windows XP Professional SP 3 32-Bit EN US) : # Greetz To : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Jakarta Anonymous Club, Bogor-H, Jabar Cyber :-------------------: DORKS (How to find the target) : ================================ intext:How can MLS Property Finder benefit you intext:"Do not use commas in your figures" inurl:calculator.asp inurl:/register.asp?agentid= intext:"Sign up for MLS Property Finder - " intext:Take advantage of my FREE MLS Property Finder service inurl:/detail_agent.asp?agentid= inurl:/searchNEW.asp intext:"Fill out the form below for a market analysis" inurl:/listing.asp?SearchType=ByOffice intext:daily email updates, and much more with MLS Property Finder. Proof of Concept ================= The website (CMS) does not restrict access to the "/update" path to a registered member. A registered member can access into the Website CMS Manager and Managing the Website through "/update" path via URL without Realtor (Site Author) Privilege! For Example : Live Target : http://www.gowithcraig.com/register.asp?agentid=406764 1st. Sign up into the Website by Clicking 'Sign up for MLS Property Finder now' or through http://www.gowithcraig.com/register.asp?agentid=406764&s=contact 2nd. In the Registration Page, fill your contact information (just for formality). Fill the first name, last name, fake email address, etc. Pic : http://i50.tinypic.com/2qn4207.png 3rd. Next click '>> Step 2'. After Search Criteria Form appeared you've to fill out that (just for formality). Then click Submit. Pic : http://i49.tinypic.com/4l35nn.png 4th. Afer you've Clicked Submit button and if the Registration Process was sucessfull, this notification will appear : Thank you, For signing up for my MLS Property Finder, you will receive an email with your username, password and instructions on how to log in to see your listings. Click here to view information on your properties selection. Pic : http://i48.tinypic.com/33vj9zr.png 5th. Just click : 'Click here' and you has entered the Site within 'Registered Member' feature/privilege. Pic : http://i45.tinypic.com/2d8q23a.png Now, How we can step into the Site Manager??? Look at your URL Bar, if the URL is http://www.mlspropertyfinder.com/home/home.asp You've to change into http://www.mlspropertyfinder.com/update/ Pic : http://i47.tinypic.com/w17l9t.png Voila!!! Now you can Manage the site :) If you wanna ruin (Deface) the Site, just replace the content of Site Homepage through http://www.mlspropertyfinder.com/update/update_websiteinfo.asp Pic : http://i47.tinypic.com/a2u72w.png And then Click Edit Content. After that, Click Front Page. Pic : http://i48.tinypic.com/24phs8p.png And the HTML Editor/Page Editor will show. Just fill Meta Title with : Defaced By Your Nick Name. And fill the Body (CLICK HTML<> BUTTON) with this Script : <script>document.body.innerHTML="<h1>0WN3D</h1>This Site 0WN3D BY : Your Nick Name<br/>";</script> Pic : http://i46.tinypic.com/muu0q1.png Click Apply and OK! And Submit. Check the Site (http://www.gowithcraig.com) and Voila!!! Defaced!!! Pic : http://i50.tinypic.com/1zofdz4.png If you wanna find the Realtor Agent (Site Author), just go to http://www.mlspropertyfinder.com/update/agents/ Pic : http://i46.tinypic.com/optkb5.png Look at the Password : paper (Based on my picture above). After you got the password, now you can login as the Realtor Agent (Site Author) through http://www.gowithcraig.com/update/ Fill Username with the AgentID : 406764 and Fill Password with : paper Pic : http://i50.tinypic.com/24czloy.png Q : Where can I find the AgentID? A : AgentID appeared in URL Bar while you in the Register Page, If you've forgotten the AgentID just go through the Registration Page :) If the Username and Password was right, now you can login As Realtor Agent (Site Author) Pic : http://i49.tinypic.com/296iyid.png As the alternative Login page for Site Author you can use this Site http://www.rls2000.com/search/login.asp -= Regards =- Steevee A.K.A

References:

http://i46.tinypic.com/optkb5.png
http://i50.tinypic.com/24czloy.png
http://i50.tinypic.com/24czloy.png
http://www.mlspropertyfinder.com/
AND
http://www.rls2000.com/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top