Calendarix 0.7.20060401, SQL Injection Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Calendarix 0.7.20060401, SQL Injection Vulnerabilities
From: Federico Fazzi <federico@xxxxxxxxxxxxx>
Date: Thu, 15 Jun 2006 23:39:40 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 1.5.0.2 (X11/20060504)

-----------------------------------------------------
Advisory id: FSA:018

Author:    Federico Fazzi
Date:      15/06/2006, 23:36
Sinthesis: Calendarix 0.7.20060401, SQL Injection Vulnerabilities
Type:      low
Product:   http://www.calendarix.com/
Patch:     unavailable
-----------------------------------------------------


1) Description:


Error occured in cal_event.php:

$dquery = "delete from ".$EVENTS_TB." where id='$id'";

Error occured in cal_popup.php:

$id = $_GET['id'];

2) Proof of concept:

http://example/[c_path]/cal_event.php?id=[SQL_QUERY]
http://example/[c_path]/cal_popup.php?id=[SQL_QUERY]

3) Solution:

on cal_event.php sanitized $id variable,
on cal_popup.php don't use $_GET['id'] to assign a value.

Prev by Date: Chatizens.com - XSS with cookie disclosure
Next by Date: Carspace.com - XSS with cookie disclosure
Previous by thread: Chatizens.com - XSS with cookie disclosure
Next by thread: Carspace.com - XSS with cookie disclosure
Index(es):
- Date
- Thread