|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[SA10554] PostCalendar Search Function SQL Injection Vulnerability
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Tue Jan 06 2004 - 10:42:05 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
PostCalendar Search Function SQL Injection Vulnerability
SECUNIA ADVISORY ID:
SA10554
VERIFY ADVISORY:
http://www.secunia.com/advisories/10554/
CRITICAL:
Moderately critical
IMPACT:
Manipulation of data, Exposure of system information, Exposure of
sensitive information
WHERE:
From remote
SOFTWARE:
PostCalendar 4.x
DESCRIPTION:
Klavs Klavsen has discovered a vulnerability in PostCalendar, which
can be exploited by malicious people to conduct SQL injection
attacks.
The vulnerability is caused due to insufficient validation of input
supplied to the search function, which allows injection of arbitrary
SQL code.
Successful exploitation may disclose sensitive information or allow
manipulation of database content. However, the impact depends on the
configuration of PHP and the underlying database on an affected
system.
The vulnerability affects version 4.0.0.
SOLUTION:
Update to version 4.0.1 or apply the latest security fix package.
PostCalendar 4.0.1 (full package):
http://noc.postnuke.com/download.php/243/postcalendar-4.0.1.zip
MD5 checksum: 85f28144f36b1487366f654f4f800830
PostCalendar 4.0.1 (fixed files only):
http://noc.postnuke.com/download.php/244/postcalendar-4.0.1-fixpackage.zip
MD5 checksum: 4b5fd57053c8577eeefef50cd1d19279
PROVIDED AND/OR DISCOVERED BY:
Klavs Klavsen
ORIGINAL ADVISORY:
http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2537
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://www.secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://www.secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]