| VID |
21919 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Calendarix Basic is vulnerable to multiple SQL injection vulnerabilities which exist in versions 0.7.20060401 and earlier. Calendarix is a web-based calendar application written in PHP. Calendarix Basic version 0.7.20060401 and earlier versions are vulnerable to multiple vulnerabilities, caused by improper filtering of user-supplied input passed to the 'id' parameter to the 'cal_event.php' and 'cal_popup.php' scripts. If PHP's 'magic_quotes_gpc' setting is disabled, these vulnerabilities could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.securityfocus.com/archive/1/437437/30/0/threaded
http://secunia.com/advisories/20645/
http://securitytracker.com/id?1016324
http://www.frsirt.com/english/advisories/2006/2360
* Platforms Affected:
Vincent Hor, Calendarix Basic version 0.7.20060401 and earlier versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of June 2006.
Upgrade to a version of Calendarix Basic greater than 0.7.20060401, when new fixed version becomes available from the Calendarix Web site at http://www.calendarix.com/download_basic.php |
| Related URL |
CVE-2006-3094 (CVE) |
| Related URL |
18469 (SecurityFocus) |
| Related URL |
(ISS) |
|
