vendor:
Property Listing Script
by:
Ihsan Sencan
8,8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Property Listing Script
Affected Version From: 3.1
Affected Version To: 3.1
Patch Exists: NO
Related CWE: N/A
CPE: a:phpjabbers:property_listing_script
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Win7 x64, Kali Linux x64
2017
Property Listing Script v3.1 – SQL Injection
An attacker can exploit a SQL injection vulnerability in Property Listing Script v3.1 to gain unauthorized access to the application. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'controller', 'action', 'listing_search', 'min_bedrooms', 'max_bedrooms', 'min_bathrooms', and 'max_bathrooms' parameters of the 'preview.php' script. An attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in the application's database. This may allow the attacker to access or modify sensitive data in the back-end database.
Mitigation:
Input validation should be used to ensure that untrusted data is not used to construct SQL commands that are passed to the database. Parameterized queries should be used to ensure that user-supplied input is treated as a literal value and not as executable code.
