PHP Property Rental Script SQLi & XSS Vulnerability

vendor:

PHP Property Rental Script

by:

L0rd CrusAd3r aka VSN

7,5

CVSS

HIGH

SQLi & XSS

89, 79

CWE

Product Name: PHP Property Rental Script

Affected Version From: 3.0

Affected Version To: 3.0

Patch Exists: YES

Related CWE: N/A

CPE: a:zincksoft:php_property_rental_script

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

PHP Property Rental Script SQLi & XSS Vulnerability

PHP Property Rental Script is vulnerable to SQL injection and XSS. An attacker can inject malicious SQL queries into the vulnerable parameter 'PID' in the 'view.php' page. An attacker can also inject malicious JavaScript code into the vulnerable parameter 'PID' in the 'view.php' page.

Mitigation:

Input validation should be used to prevent SQL injection and XSS attacks. The application should also be kept up to date with the latest security patches.

Source

Exploit-DB raw data:

Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Exploit Title:PHP Property Rental Script SQLi & XSS Vulnerability
Version:3.0
Price:600$
Vendor url:http://www.zincksoft.com/
Published: 2010-06-09
Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue™®, S1ayer,d3c0d3r and to all
ICW members
###############################################################################################################################################################################################

PHP Property Rental Script SQLi & XSS Vulnerability

Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]

#####################################################################################################################################################################################################

Description:

PHP Property Rental Script

PHP Property Rental Script is a wonderful solution to launch your own
Property rental or sale website. Script has very good features to provide a
very sound foundation to your rental portal site
. Script offers great earning potential. It is a Complete Script with
quality features like:
1. Property profiles Rental Offers
2. Internal messaging
3. Google Map
4. FULLY customizable site colors and graphics
5. Script parameters are highly configurable through script admin panel.
6. Paypal Payment Gateway
7. Membership options
8.And of course great earning potential And lot more
#######################################################################################################################################################################################################

Vulnerability:

*SQLi Vulnerability

DEMO URL :http://server/view.php?PID=[sqli]

*XSS Vulnerability

Pattern:'"-->

DEMO URL :http://server/view.php?PID=[XSS]