# Title: persistence XSS flaw in Open Realty 2.x and 3.x
# Author: K053  <K053.dev0te3 at gmail>
# Date: 2010-7-24
# Hompage: http://open-realty.org
# Download Link: http://www.open-realty.org/download.html
# Version: 3.x & 2.x < seems all version >
======================================================================================================
Detail :
========
 
    function save_search(){
       ...
       ...
        
       // $title contain user supplied serach result name which save in DB without any input validation
        
       if ($num_columns == 0) {
            $sql = "INSERT INTO " . $config['table_prefix'] . "usersavedsearches
            (userdb_id, usersavedsearches_title, usersavedsearches_query_string,
            usersavedsearches_last_viewed,usersavedsearches_new_listings,usersavedsearches_notify)
            VALUES ($userID, $title, $query,now(),0, $notify)";
       ...
       ...
    }
    function view_saved_searches()
    {
       ... 
       ...
       else {  
                    while (!$recordSet->EOF) {
                    $title = $misc->make_db_unsafe($recordSet->fields['usersavedsearches_title']);
                    if ($title == '') {
                        $title = $lang['saved_search'];
                    }
                    $display .= '<a href="index.php?action=searchresults&' . $misc->make_db_unsafe
                    ($recordSet->fields['usersavedsearches_query_string']) . '">' . $title . '</a> 
                       <div class="note"><a href="index.php?action=delete_search&
                    searchID=' . $misc->make_db_unsafe($recordSet->fields['usersavedsearches_id']) . '"
                    onclick="return confirmDelete()">' . $lang['delete_search'] . '</a></div><br /><br />';
 
                    $recordSet->MoveNext();
                }
            }
        }else {
            $display = $status;
        }
         
        // and no output validation, $display passed immediately
         
        return $display;
======================================================================================================
POC :
=====
load http://address/index.php?action=save_search   < note some parameter set by passed url >
in textbox enter <script>alert(0)</scritp>.
 
load http://address/index.php?action=view_saved_searches  to view result
______________________________________________________________________________________________________
lackout Frenzy [http://b0f.ir]