Info

Disclosure

Sep 04, 2003

Discovery

Sep 04, 2003

Dates

Exploit

Unknown

Solution

Unknown

Description

WebCalendar contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "eventinfo" variable in the month.php module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

WebCalendar	WebCalendar	0.9.11
		0.9.15
		0.9.16
		0.9.19
		0.9.2x
		0.9.3x
		0.9.40
		0.9.41
		0.9.42
		0.9.8

References

ISS X-Force ID: 13096
Bugtraq ID: 8540
Secunia Advisory ID: 9672
Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2003-09/0051.html
http://nocon.darkflame.net/CSS/Wecalendar.txt
Vendor URL: http://webcalendar.sourceforge.net/

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/36218