R-Scripts VRS 7R Multiple Stored XSS And CSRF Vulnerabilities

Title: R-Scripts VRS 7R Multiple Stored XSS And CSRF Vulnerabilities
Advisory ID: ZSL-2015-5274
Type: Local/Remote
Impact: Cross-Site Scripting, Privilege Escalation
Risk: (3/5)
Release Date: 11.11.2015
Summary
PHP Vacation Rental Script is the best solution for your vacation rentals online business.
Description
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Stored cross-site scripting vulnerabilitity was also discovered. The issue is triggered when input passed via multiple POST parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
R-Scripts - http://www.r-scripts.com
Affected Version
7R
Tested On
Apache/2.2.29
PHP/5.3.29
Vendor Status
[01.10.2015] Vulnerabilities discovered.
[11.11.2015] Vendor contacted.
[11.11.2015] Vendor responds asking more details.
[11.11.2015] Sent details to the vendor.
[11.11.2015] Vendor informs that csrf protection exists but not by default.
[11.11.2015] Vendor enables csrf protection to be by default.
[11.11.2015] Public security advisory released.
PoC
vrs_csrfxss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/38684/
[2] https://packetstormsecurity.com/files/134318
[3] https://cxsecurity.com/issue/WLB-2015110092
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/107975
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/107976
Changelog
[11.11.2015] - Initial release
[14.11.2015] - Added reference [1], [2], [3], [4] and [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk