|
|
Family: CGI abuses --> Category: attack
PHP-Calendar Search.PHP SQL Injection Vulnerability Vulnerability Scan
Vulnerability Scan Summary
Checks for SQL injection vulnerability in PHP-Calendar search.php
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP script that is susceptible to a
SQL injection attack.
Description :
The remote web server is running PHP-Calendar, a web-based calendar
written in PHP.
The version of PHP-Calendar installed on the remote host suffers from
a SQL injection vulnerability due to its failure to sanitize input to
the 'sort' and 'order' parameters to the 'includes/search.php' script.
A possible hacker can exploit this flaw to alter database queries,
potentially revealing sensitive information or even modifying data.
See also :
http://sourceforge.net/project/shownotes.php?release_id=323483
Solution :
Upgrade to PHP-Calendar version 0.10.3 or later.
Threat Level:
Medium / CVSS Base Score : 5
(AV:R/AC:L/Au:NR/C:P/A:N/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|
