From: Benjamin Livshits <livshits@cs.stanford.edu>
To: moderators@osvdb.org
Date: Mon, 8 May 2006 10:19:14 -0700
Subject: [OSVDB Mods] [OSVDB] New Vulnerability

I am a researcher at Stanford Univeristy working on Web application
security. I was recently looking at Jorganizer, an open source personal
information organizer available on sourceforge
(http://jorganizer.sourceforge.net/) and found a couple of potential
vulnerabilities, which I list below:

1. SQL injection:
CastorDatabase.java:248: String motherid = request.getParameter("motherid");
motherid propagates to a call to getOQLQuery on line 258, which is
subsequently fed to a back-end database. I would suggest sanitizing motherid
or using the prepared statement $1 syntax here.

2. HTTP splitting:
ExtLinkAction.java:74 response.sendRedirect(request.getParameter("link"));
is a HTTP request splitting vulnerability. Sanitization of the result of
getParameter should solve the issue.

Thanks,

-Ben
http://www.stanford.edu/livshits/