| VID |
21376 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The aspWebCalendar installed on the remote web server is vulnerable to a SQL Injection Vulnerability.
aspWebCalendar is a Web-based application used to provide personal and group calendar functions for Microsoft Windows. aspWebCalendar is vulnerable to a SQL Injection vulnerability, caused by improper validation of user-supplied input in the 'calendar.asp' script. By inserting a specially crafted SQL command via the '/calendar.asp?action=login' script or the 'eventid' field in the '/calendar.asp' script, a remote attacker could execute SQL commands on the target system or gain the sensitive information.
* References:
http://securitytracker.com/alerts/2004/Sep/1011410.html
http://archives.neohapsis.com/archives/bugtraq/2004-09/0352.html
* Platforms Affected:
Full Revolution, Inc., aspWebCalendar Any version
Microsoft Windows Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
Upgrade to the new version of aspWebAlbum, when new version fixed this problem becomes available from the Full Revolution, Inc. Web site at http://www.fullrevolution.com/calendar_overview.asp |
| Related URL |
CVE-2004-1552 (CVE) |
| Related URL |
11246 (SecurityFocus) |
| Related URL |
17506 (ISS) |
|
