WebCalendar webcalendar_session parameter SQL injection
| webcalendar-sql-injection (19369) |  Medium Risk |
Description:
WebCalendar is vulnerable to SQL injection. By sending a specially-crafted URL request to the login.php script containing SQL code in the webcalendar_session parameter, a remote attacker could obtain sensitive information and add, modify or delete data in the backend database.
Platforms Affected:
- WebCalendar, WebCalendar 0.9.45
Remedy:
Upgrade to the latest version of WebCalendar (1.0RC2 or later), available from the WebCalendar Download Web page. See References.
— OR —
As a workaround, apply the patch for this vulnerability, available from the Scovetta Labs Security Advisory dated 2005-02-16. See References.
Consequences:
Data Manipulation
References:
- Scovetta Labs Security Advisory 2005-02-16, WebCalendar: SQL Injection from encoded cookie at http://www.scovettalabs.com/advisory/SCL-2005.001.txt.
- WebCalendar Download Web page, WebCalendar at http://www.k5n.us/webcalendar.php?topic=Download.
- BID-12581: WebCalendar SQL Injection Vulnerability
- CVE-2005-0474: SQL injection vulnerability in the user_valid_crypt function in user.php in WebCalendar 0.9.45 allows remote attackers to execute arbitrary SQL commands via an encoded webcalendar_session cookie.
- OSVDB ID: 13918: WebCalendar login.php webcalendar_session Cookie SQL Injection
- SA14319: WebCalendar "webcalendar_session" SQL Injection
- SECTRACK ID: 1013231: WebCalendar user_valid_crypt function() Input Validation Error Lets Remote Users Inject SQL Commands
Reported:
Feb 18, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net