SQL Injection in Benders Calendar
Summary
- Vulnerability
- SQL Injection in Benders Calendar
- Discovered
- 2006.01.14
- Last Update
- 0 n/a
- ID
- EV0030
- CVE
- CVE-2006-0252
- Risk Level
- low
- Type
- SQL Injection
- Status
- Unpatched
- Vendor
- n/a
- Vulnerable Software
- Benders Calendar (http://sourceforge.net/projects/benderscalendar/)
- Version
- 1.0
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
SQL Injection found in Benders Calendar (http://sourceforge.net/projects/benderscalendar/) script.
All user-defined variables isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc: off
PoC/Exploit
"Year" "Month" or "Day" value:
999' union select 1,2,3,4,5,6/*
Solution.
Solution for "SQL Injection in Benders Calendar" is not available. Check vendor's website for updates.