Matrimony Website Script SQL Injection Vulnerability

Multiple SQL injection vulnerabilities have been identified in Matrimony Website Script M-Plus. These vulnerabilities allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST parameters. Affected parameters include txtGender, religion, Fage, and cboCountry, across several PHP files including simplesearch_results.php, advsearch_results.php, specialcase_results.php, locational_results.php, and registration2.php. Exploitation of these vulnerabilities could lead to the extraction of sensitive database information or the execution of arbitrary SQL commands.

Impact

Exploitation of these vulnerabilities allows for SQL injection, where attackers can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a POST request to one of the vulnerable PHP files (such as simplesearch_results.php or advsearch_results.php) with crafted SQL payloads in the vulnerable parameters. For example, injecting SQL code that exploits the application's query handling could bypass authentication or access restricted data.