by r0t,der4444,cembo,VietMafia

Tuesday, November 29, 2005

Calendar Express 2 SQL inj. vuln.

Calendar Express 2 SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:www.phplite.com/products/calendarexpress/index.php
affected version:2.2 and prior

Product Description:
Calendar Express 2 is a comprehensive and robust web based calendar and event publishing system ideal for large organizations, internet portals, educational institutions and corporate intranets. The feature packed product supports unlimited number of categories and calendars and comes with an intuitive, easy to use interface. Other features include My Events control panel, synchronization with Outlook and Palm, multiple style pack support and a lot more.

Vuln. description:
Input passed to the "cid" and "catid" parameter in "day.php" and "week.php" and "month.php" and "year.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/day.php?cid=[SQL]
/day.php?cid=&catid=[SQL]

/week.php?cid=&catid=[SQL]
/week.php?cid=[SQL]

/month.php?cid=&catid=[SQL]
/month.php?cid=[SQL]

/year.php?cid=&catid=[SQL]
/year.php?cid=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew