Online Dating Software by AEwebworks - aeDating Script <= 4.0 Version Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Online Dating Software by AEwebworks - aeDating Script <= 4.0 Version Vulnerability
From: alexsrb@xxxxxxxxxxx
Date: 15 Sep 2005 11:27:40 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Online Dating Software by AEwebworks - aeDating Script <= 4.0 Version

I have found Vulnerability  in Online Dating Software by AEwebworks - aeDating 
Script <= 4.0 version  which is exploitable when you  are searching  for your 
soulmate at aeDating service Software.

For example :
www.[target].com/search.php  just choose one Country and click on the Search 
button , After having done that you can see something like this :

www.target.com/search_result.php?Sex=male&LookingFor=female&DateOfBirth_start=18&DateOfBirth_end=40&Country%5B%5D=0

And at this instant to complete it all, all you have to do is add something of 
your individual choosing at the end of the link for an example  UNION 



www.target.com/search_result.php?Sex=male&LookingFor=female&DateOfBirth_start=18&DateOfBirth_end=40&Country%5B%5D=0UNION




And search result:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result 
resource in /home/site/public_html/search_result.php on line 370

ERROR Database access error

Best Regards
Alex

Prev by Date: CastleCops ramps up fight against CoolWebSearch/HomeSearch
Next by Date: Oracle Reports: Generic SQL Injection Vulnerability via Lexical References
Previous by thread: Re: CastleCops ramps up fight against CoolWebSearch/HomeSearch
Next by thread: Re: Online Dating Software by AEwebworks - aeDating Script <= 4.0 Version Vulnerability
Index(es):
- Date
- Thread