Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Re: WebCalendar Multiple Vulnerabilities

from [Paul Laudanski] Network Security [Permanent Link]
Subject: [Full-disclosure] Re: WebCalendar Multiple Vulnerabilities
Date: Tue, 29 Nov 2005 21:04:21 -0500 (EST) 
On Mon, 28 Nov 2005, ascii wrote:


  Name              Multiple Vulnerabilities in WebCalendar
  Systems Affected  WebCalendar (verified on 1.0.1)
  Severity          Medium Risk
  Vendor            www.k5n.us/webcalendar.php?topic=About
  Advisory
   http://www.ush.it/team/ascii/hack-WebCalendar/advisory.txt

WebCalendar is vulnerable to four SQL Injection (files activity_log.php,
admin_handler.php, edit_template.php and export_handler.php) and one
local file overwrite (export_handler.php), input validation will fix.


I too tried contacting the vendor but received no response.  Your timing 
of vendor notice and vul'n release are fast unfortunately.  Taking a look, 
simple functions in PHP can be called upon to fix those issues.

Thanks for reporting them.

-- 
Paul Laudanski, Microsoft MVP Windows-Security
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DNS query spam, Florian Weimer
Next by Date:  [Full-disclosure] Re: WebCalendar Multiple Vulnerabilities, ascii
Previous by Thread:  [Full-disclosure] WebCalendar Multiple Vulnerabilities, ascii
Next by Thread:  [Full-disclosure] Re: WebCalendar Multiple Vulnerabilities, ascii
Indexes:  [Date] [Thread] [Top] [All Lists]