WebCalendar view_v.php eventinfo SQL Injection

2003-09-04T09:31:48
ID OSVDB:3642
Type osvdb
Reporter OSVDB
Modified 2003-09-04T09:31:48

Description

Vulnerability Description

WebCalendar contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "eventinfo" variable in the view_v.php module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

WebCalendar contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "eventinfo" variable in the view_v.php module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://webcalendar.sourceforge.net/ Secunia Advisory ID:9672 Other Advisory URL: http://nocon.darkflame.net/CSS/Wecalendar.txt Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2003-09/0051.html ISS X-Force ID: 13096 Bugtraq ID: 8540