aeDating index.php skin Parameter Local File Inclusion
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
aeDating contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the "index.php" script not properly sanitizing user input supplied to the "skin" variable. This may allow an attacker to include an arbitrary file from the local host.
Upgrade to version 3.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
aeDating is prone to a local file include vulnerability.
The problem presents itself when an attacker passes the location of a potentially malicious local script through a parameter of the 'index.php' script.
An attacker may leverage this issue to execute arbitrary server-side script code that resides on an affected computer with the privileges of the Web server process. This may potentially facilitate unauthorized access.
It should be noted that this issue may also be leveraged to read arbitrary files on an affected computer with the privileges of the Web server.
aeDating 3.2 and prior are affected by this issue.
An exploit is not required.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.