| VID |
210065 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Calendarix Basic is vulnerable to multiple SQL injection vulnerabilities in the calendar.php script. Calendarix is a web-based calendar application written in PHP. Calendarix Basic version 0.7.20070307 and earlier versions are vulnerable to multiple SQL injection vulnerabilities, caused by improper filtering of user-supplied input passed to the 'month' and 'year' parameters of the calendar.php script and the 'search' parameter of the cal_search.php script. If PHP's 'magic_quotes_gpc' setting is disabled, these vulnerabilities could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.netvigilance.com/advisory0038
http://www.securityfocus.com/archive/1/472221/30/0/threaded
http://www.frsirt.com/english/advisories/2007/2324
http://securitytracker.com/alerts/2007/Jun/1018287.html
http://secunia.com/advisories/25795
* Platforms Affected:
Vincent Hor, Calendarix version 0.7.20070307 and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to a version of Calendarix Basic greater than 0.7.20070307 from the Calendarix Web site at http://www.calendarix.com/download_basic.php |
| Related URL |
CVE-2007-3183 (CVE) |
| Related URL |
24633 (SecurityFocus) |
| Related URL |
35046 (ISS) |
|
