Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11464
HistoryFeb 16, 2006 - 12:00 a.m.

[Full-disclosure] Web Calendar Pro - Denial of Service SQL Injection Vulnerability

2006-02-1600:00:00
vulners.com
5
JSON

=======================================================================================
XOR Crew :: Security Advisory 1/12/2006

Web Calendar Pro - Denial of Service SQL injection (lame)

http://www.xorcrew.net/

=======================================================================================

:: Summary

  Vendor       :  MitriDAT
  Vendor Site  :  http://www.web-calendar-pro.com/

  Product(s)   :  Web Calendar Pro
  Version(s)   :  All
  Severity     :  Low/Medium
  Impact       :  Denial of Service
  Release Date :  1/12/2006
  Credits      :  ReZEN (rezen (a) xorcrew (.) net)

=======================================================================================

I. Description

Web Calendar Pro is a powerful yet easy to use multi-language calendar system for
your website or your personal planning needs. This product can support unlimited

amount of web calendars, each of those can have its own settings. With Web Calendar
Pro you could handle a big public schedule for publishing events on your site, with
several users granted different rights for managing this calendar events and unlimited

amount of subscribers, private calendar for managing your own tasks, or just a mini
calendar to add more interactivity to your web site.

=======================================================================================

II. Synopsis

There is an unsanitized $tabls variable that allows for SQL injection in to the DROP
query from the dropbase.php file. This causes the script to become un-opperational
until the table has been fixed or until the application has been reinstalled. The vendor

has been made aware of this situation and has fixed the issue. Please upgrade to the
latest version.

Example:

http://www.site.com/pathtocalendar/dropbase.php?tabls=
' or 1=1 –

=======================================================================================

IV. Greets :>

All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.

=======================================================================================

JSON