by r0t,der4444,cembo,VietMafia

Tuesday, November 29, 2005

O-Kiraku Nikki v1.3 SQL inj. vuln.

O-Kiraku Nikki v1.3 SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://www.ag0ny.com/okiraku.php
affected version:v1.3 and prior

Product Description:
'O-Kiraku Nikki' is Japanese for 'A Nice Calendar'. It is a simple PHP program that displays a calendar on a Web site, with the ability to add as many annotations as desired to any day, and have these annotations displayed on a Web page. It can be used as a diary, a Weblog, or a scheduler, etc. It comes with full multilanguage (Unicode) support, and includes by default English, Japanese, German and Spanish, Swedish, Italian and Dutch translations. It has been designed with both security and simplicity in mind.

Vuln. description:
Input passed to the "day_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/okiraku.php?lang=&day_id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew