CVE-2020-37163

Vulnerability

Overview

QuickDate 1.3.2, a PHP-based dating script, contains a SQL injection vulnerability in the find_matches endpoint. The _located parameter is not properly sanitized before being used in database queries, allowing an attacker to inject arbitrary SQL statements. This flaw enables UNION-based SQL injection, which can be exploited to extract sensitive information from the database [1][3].

Exploitation

The attack is performed by sending a crafted POST request to the /find_matches endpoint with a malicious _located parameter. No authentication is required, and the attacker only needs network access to the vulnerable application. The exploit does not require any special privileges or user interaction, making it easily exploitable by remote attackers [1].

Impact

Successful exploitation allows an attacker to retrieve database contents, including user credentials (such as usernames and password hashes), the database name, and the database system version. This information can be used to compromise user accounts or further attack the application and its infrastructure [1][3].

Mitigation

As of the publication date, no official patch has been released for QuickDate 1.3.2. The vendor's website (quickdatescript.com) is no longer accessible, suggesting the product may be abandoned or unsupported [2]. Users are advised to migrate to an alternative solution or implement input validation and parameterized queries as a workaround.