BestWebApp Dating Site Multiple Input Validation Vulnerabilities

Bugtraq ID:	21158
Class:	Input Validation Error
CVE:	CVE-2006-6022 CVE-2006-6021
Remote:	Yes
Local:	No
Published:	Nov 17 2006 12:00AM
Updated:	Feb 25 2008 02:22PM
Credit:	Laurent Gaffie and Benjamin Mosse are credited with the discovery of these vulnerabilities.
Vulnerable:	BestWebApp Dating Site 0
Not Vulnerable:

BestWebApp Dating Site Multiple Input Validation Vulnerabilities

BestWebApp Dating Site is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues, because it fails to sufficiently sanitize user-supplied input.

An attacker could exploit these issues to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

BestWebApp Dating Site Multiple Input Validation Vulnerabilities

An attacker can exploit these issues via a web client.

The following proofs of concept are available:

SQL-injection:
username = ' or '1' = '1'
passwd = ' or '1' = '1'

Cross-site scripting:
login_form.asp?msg=[xss here]

BestWebApp Dating Site Multiple Input Validation Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

BestWebApp Dating Site Multiple Input Validation Vulnerabilities

References:

• Vendor Home Page (BestWebApp)
  
• [Aria-Security.Net] BestWebApp Dating System SQL Injection ([email protected])
  
• Dating Site [ login bypass & xss] ([email protected])