phpWebSite Multiple Calendar Module SQL Injection

2003-08-10T07:51:47
ID OSVDB:2410
Type osvdb
Reporter OSVDB
Modified 2003-08-10T07:51:47

Description

Vulnerability Description

phpWebSite contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "year" variable in the "calendar" module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 0.8.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

phpWebSite contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "year" variable in the "calendar" module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Manual Testing Notes

http://[victim]/[PATH]/index.php?module=calendar&calendar[view] =month&month=11&year=2003%20and%20startDate%20%3c%3d%2020071205%29%20or% 20%28%20endDate%20%3e%3d031101%20and%20endDate%20%3c%3d%2020071205%29% 29%20and%20active%3d1

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view] =day&month=1%00&year=)SQL_INJECTION_CODE

References:

Vendor URL: http://phpwebsite.appstate.edu/ Secunia Advisory ID:9517 Related OSVDB ID: 3842 Related OSVDB ID: 3843 Related OSVDB ID: 3844 Other Advisory URL: http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/1659.html ISS X-Force ID: 12891 Generic Informational URL: http://phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=577 CVE-2003-0735 Bugtraq ID: 8390