SQL Injection in Benders Calendar

Summary

Vulnerability
SQL Injection in Benders Calendar
Discovered
2006.01.14
Last Update
0 n/a
ID
EV0030
CVE
CVE-2006-0252
Risk Level
low
Type
SQL Injection
Status
Unpatched
Vendor
n/a
Vulnerable Software
Benders Calendar (http://sourceforge.net/projects/benderscalendar/)
Version
1.0
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL Injection found in Benders Calendar (http://sourceforge.net/projects/benderscalendar/) script.

All user-defined variables isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc: off

PoC/Exploit

"Year" "Month" or "Day" value:
999' union select 1,2,3,4,5,6/*

Solution.

Solution for "SQL Injection in Benders Calendar" is not available. Check vendor's website for updates.