Php script form dating newest completely online dating site


YOU set the price and currency of the Upgrade fee, which is sent automatically every month to your Pay Pal account.Advisory ID: HTB23294 Product: Dating Pro Vendor: Dating Pro Vulnerable Version(s): Genie (2015.7) and probably prior Tested Version: Genie (2015.7) Advisory Publication: February 10, 2016 [without technical details] Vendor Notification: February 10, 2016 Vendor Patch: February 29, 2016 Public Disclosure: March 18, 2016 Vulnerability Type: Cross-Site Request Forgery [CWE-352] Risk Level: Critical CVSSv3 Base Scores: 8.8 [CVSS:3.0/AV: N/AC: L/PR: N/UI: R/S: U/C: H/I: H/A: H], 9.6 [CVSS:3.0/AV: N/AC: L/PR: N/UI: R/S: C/C: H/I: H/A: H] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https:// ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple Cross-Site Request Forgery (CSRF) vulnerabilities in a popular dating social network Dating Pro.A remote unauthenticated attacker can perform CSRF attacks to change administrator’s credentials and execute arbitrary system commands.Successful exploitation of the vulnerability may allow attacker to gain complete control over the vulnerable website, all its users and databases.1) CSRF in "/admin/ausers/index" The vulnerability exists due to the absence of validation of HTTP request origin in "/admin/ausers/index" script.

To reproduce the vulnerability, just create an empty HTML file, paste the CSRF exploit code into it, login to i Top website and open the file in your browser: Now you can login as administrator using the above-mentioned credentials.2) CSRF in /admin/notifications/settings/ The vulnerability exists due to absence of validation of HTTP request origin in "/admin/notifications/settings/" script.----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23294 - https:// - Admin Password Reset & RCE via CSRF in Dating Pro [2] Dating Pro - Everything you need to start and run a dating business.[3] Common Weakness Enumeration (CWE) - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and execute arbitrary system commands with privileges of the web server.

A simple exploit below will replace full path to sendmail program with the following "cp config.txt" system command that will copy "config.php" file into "config.txt" making its content publicly accessible: ----------------------------------------------------------------------------------------------- Solution: Update to Genie (2015.7) released after February 29, 2016.


  1. Pingback:

  2. eric   •  

    ACTRESS AND television host Tamera Mowry-Housley has revealed that ever since she broke her vow to God not to have sex before marriage, she has struggled to forgive herself.

  3. eric   •  

    This is unfortunate but understandable—I was hesitant to discuss it myself, but the issue obviously strikes a nerve and merits some discussion. We are wary in modern society of suggesting that anyone should be his or her partner.

  4. eric   •  

    Shedding stress, eating right, exercising, quitting smoking and even pampering yourself may sound like treats for you, but they're also ways to show you love him. Throughout time, men have had to fight and provide to attract and keep women—and they aren't afraid to pull out the masculinity measuring sticks when potential competitors come around.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>