Info

Disclosure

Aug 31, 2004

Discovery

Unknown

Dates

Exploit

Aug 31, 2004

Solution

Unknown

Description

phpWebSite contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "cal_template" variable in the Calendar Module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, phpWebSite developers have released a patch to address this vulnerability.

Products

Appalachian State University

phpWebSite

0.9.3-4

References

Security Tracker: 1011120
Secunia Advisory ID: 12438
CVE ID: 2004-1654 (see also: NVD)
Related OSVDB ID: 9445 9446 9447
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0008.html
Vendor URL: http://phpwebsite.appstate.edu/
Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00048-08312004
Vendor Specific Advisory URL: http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=822

Credit

James Bercegay - securitygulftech.org - GulfTech Security Research

Direct URL: http://osvdb.org/9444