Description - SQL-inj and Auth Bypass in 2200net Calendar system
SQL Injection found in 2200net Calendar system script.
- Exploit
- Available
- Solution
- Not available - check vendor's website
1. SQL Injection.
Vulnerable script: program/calendar/calendar.php
Variable fm_data[id] isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off
2. Authentication Bypass.
Vulnerable script: class/classlogin/adminlogin.php
Variable $ad['acc'] isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off
Order PHP Code Analysis
Protect against attacks by source code analysis of a site made by our team.The work will be done by specialists in web application security.