by r0t,der4444,cembo,VietMafia

Wednesday, March 22, 2006

1WebCalendar v 4.x vuln.

1WebCalendar v 4.x vuln.

##############################################
Vuln. discovered by : r0t
Date: 22 march 2006
vendor:www.bensonitsolutions.com/calendar/v4/
affected version: v4.0 and prior
##############################################

Vuln.desc.

1WebCalendar contains a flaw that allows a remote sql injection attacks.Input passed to the "EventID" ,”NewsID” ,"ThisDate" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

/viewEvent.cfm?EventID=[code]
/news/newsView.cfm?NewsID=[code]
/mainCal.cfm?=[code]

also attacker can easy get install. path just with testing those holes*
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew