Calendarix 0.7.20060401, SQL Injection Vulnerabilities
Date: Thu, 15 Jun 2006 23:39:40 +0200
From: Federico Fazzi <federico@autistici.org.>
To: [email protected]
Subject: Calendarix 0.7.20060401, SQL Injection Vulnerabilities
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----------------------------------------------------
Advisory id: FSA:018
Author: Federico Fazzi
Date: 15/06/2006, 23:36
Sinthesis: Calendarix 0.7.20060401, SQL Injection Vulnerabilities
Type: low
Product: http://www.calendarix.com/
Patch: unavailable
-----------------------------------------------------
1) Description:
Error occured in cal_event.php:
$dquery = "delete from ".$EVENTS_TB." where id='$id'";
Error occured in cal_popup.php:
$id = $_GET['id'];
2) Proof of concept:
http://example/[c_path]/cal_event.php?id=[SQL_QUERY]
http://example/[c_path]/cal_popup.php?id=[SQL_QUERY]
3) Solution:
on cal_event.php sanitized $id variable,
on cal_popup.php don't use $_GET['id'] to assign a value.
