ThWboard admin/calendar.php eventtime Variable SQL Injection

2003-11-03T08:14:17
ID OSVDB:2758
Type osvdb
Reporter OSVDB
Modified 2003-11-03T08:14:17

Description

Vulnerability Description

ThWboard contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "eventtime" variable in the "admin/calendar.php" module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 2.82 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

ThWboard contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "eventtime" variable in the "admin/calendar.php" module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.thwboard.de/ Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:10120 Related OSVDB ID: 4838 ISS X-Force ID: 13583 Bugtraq ID: 8961