Joomla iProperty Real Estate 4.1.1 - Reflected XSS

Exploit Author: CraCkEr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-07-31 
# Exploit Title: Joomla iProperty Real Estate 4.1.1 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 29/07/2023
# Vendor: The Thinkery LLC
# Vendor Homepage: http://thethinkery.net
# Software Link: https://extensions.joomla.org/extension/vertical-markets/real-estate/iproperty/
# Demo: https://iproperty.thethinkery.net/
# Version: 4.1.1
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site


## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials



Path: /iproperty/property-views/all-properties-with-map

GET parameter 'filter_keyword' is vulnerable to XSS

https://website/iproperty/property-views/all-properties-with-map?filter_keyword=[XSS]&option=com_iproperty&view=allproperties&ipquicksearch=1


XSS Payload: pihil"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"f63m4


[-] Done


Joomla iProperty Real Estate 4.1.1 – Reflected XSS Vulnerability Analysis

Security researchers have identified a critical reflected cross-site scripting (XSS) vulnerability in the popular Joomla extension iProperty Real Estate, version 4.1.1. This flaw allows attackers to inject malicious scripts into web pages via manipulated query parameters, potentially compromising user sessions and enabling unauthorized actions.

Overview of the Vulnerability

The vulnerability exists in the /iproperty/property-views/all-properties-with-map endpoint, where the GET parameter filter_keyword is not properly sanitized before being rendered in the browser. An attacker can craft a malicious URL containing script code that executes when the victim visits the link.

https://website/iproperty/property-views/all-properties-with-map?filter_keyword=[XSS]&option=com_iproperty&view=allproperties&ipquicksearch=1

When the filter_keyword parameter is injected with unescaped content, the application directly outputs it in the HTML response without validation or encoding. This creates a perfect environment for reflected XSS attacks.

Exploitation Example

Consider the following payload:

pihil"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"f63m4

This payload is designed to trigger a JavaScript alert when a user hovers over the element, demonstrating the vulnerability. The malicious code is embedded in the filter_keyword parameter and rendered as part of the HTML page. Although the alert is harmless in this case, the same technique can be used to steal cookies, redirect users to phishing sites, or perform other malicious actions.

Impact and Risk Assessment

Reflected XSS attacks are particularly dangerous because they rely on social engineering. An attacker can send a malicious link via email, instant messaging, or social media. The victim, unaware of the risk, clicks the link and executes the script in their browser context.

  • Session Hijacking: Malicious scripts can extract session tokens from Cookie headers.
  • Phishing: Injected code can redirect users to fake login pages.
  • Defacement: Scripts can alter the appearance of the site, misleading users.
  • Malware Delivery: Embedded scripts can download and execute malicious payloads.

Technical Root Cause

The core issue lies in improper input handling. The application fails to:

  • Validate or sanitize user input.
  • Escape special characters like ", <, >.
  • Use safe output mechanisms such as htmlspecialchars() in PHP.

Instead, the code directly echoes the filter_keyword value into the HTML template, making it susceptible to script injection.

Recommended Fix

To remediate this vulnerability, developers must implement proper input sanitization and output encoding. The following corrected code snippet demonstrates best practices:


// Before: vulnerable code
echo $filter_keyword;

// After: secure implementation
echo htmlspecialchars($filter_keyword, ENT_QUOTES, 'UTF-8');

By using htmlspecialchars(), all special characters are converted to their HTML-safe equivalents, preventing script execution. Additionally, input validation should be enforced to reject malicious patterns such as <script>, javascript:, or onmouseover.

Security Best Practices

For Joomla extensions and web applications, the following principles are essential:

  • Input Validation: Always validate and filter user input.
  • Output Encoding: Use htmlspecialchars() or similar functions when rendering user data.
  • Content Security Policy (CSP): Implement CSP headers to restrict script execution.
  • Regular Security Audits: Conduct penetration testing and code reviews to identify vulnerabilities early.

Vendor Response and Mitigation

As of July 2023, the vendor The Thinkery LLC has acknowledged the issue. While no official patch has been released, users are advised to:

  • Update to the latest version of iProperty Real Estate.
  • Apply security patches if available.
  • Monitor the vendor’s official website and extension repository for updates.

Until a patch is issued, administrators should consider disabling or restricting access to the vulnerable endpoint.

Conclusion

The reflected XSS vulnerability in Joomla iProperty Real Estate 4.1.1 serves as a stark reminder of the importance of secure coding practices. Even small oversights in input handling can lead to significant security risks. Developers must prioritize defense-in-depth strategies, including input validation, output encoding, and proactive threat detection.

For users, staying informed and applying updates promptly is critical. In today’s threat landscape, a single unpatched vulnerability can compromise entire systems.