SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Calendar)  >   PostCalendar Vendors:   PostCalendar Team
PostCalendar Input Validation Flaw Permits Remote SQL Injection
SecurityTracker Alert ID:  1008621
SecurityTracker URL:  http://securitytracker.com/id/1008621
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 6 2004
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0.0
Description:   Some input validation vulnerabilities were reported in PostCalendar. A remote user can inject SQL commands to be executed by the underlying database.

It is reported that the search function does not properly validate user-supplied input, permitting SQL injection attacks.

The vendor credits Klavs Klavsen and the Security Forum Denmark (sikkerhedsforum.dk) with reporting this flaw.

Impact:   A remote user can execute SQL commands on the target system.
Solution:   The vendor has released a fixed version (4.0.1), available in the following packages:

1. PostCalendar 4.0.1 Fullpackage (.zip format)

http://noc.postnuke.com/download.php/243/postcalendar-4.0.1.zip
MD5 checksum: 85f28144f36b1487366f654f4f800830

2. PostCalendar 4.0.1 fixed files only (.zip format)

http://noc.postnuke.com/download.php/244/postcalendar-4.0.1-fixpackage.zip
MD5 checksum: 4b5fd57053c8577eeefef50cd1d19279

Vendor URL:  noc.postnuke.com/projects/postcalendar (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  PostCalendar Security Advisory PCSA 2004-1


---------------------------------------------------------------------------
PostCalendar Security Advisory PCSA 2004-1
Author: Andreas Krapohl
Date: January 3rd, 2004
Website: http://noc.postnuke.com/projects/postcalendar
---------------------------------------------------------------------------
VULNERABILITY
SQL injection and various missing input validations

RELEVANT RELEASES
4.0.0

DESCRIPTION
PostCalendar is an online events calendar for the PostNuke Content Management System 
(http://www.postnuke.com). Allowing for one time or recurring events and calendar sharing 
with multiple categories and PostNuke topics integration.
Vulnerable versions can be exploited through SQL injection within the search function.

SOLUTION
It is recommended that all admins upgrade their sites to v4.0.1 or apply the latest 
security fix package for v4.0.1 available right now from the locations listed below.

REFERENCES
No references are currently available on the net.

UPDATED PACKAGES
1. PostCalendar 4.0.1 Fullpackage (.zip format)
http://noc.postnuke.com/download.php/243/postcalendar-4.0.1.zip
MD5 checksum: 85f28144f36b1487366f654f4f800830
2. PostCalendar 4.0.1 fixed files only (.zip format)
http://noc.postnuke.com/download.php/244/postcalendar-4.0.1-fixpackage.zip
MD5 checksum: 4b5fd57053c8577eeefef50cd1d19279

ADDITIONAL INSTRUCTIONS
Just replace the files contained in this patch into your PostCalendar directory to have 
your PC patched. Remember that a backup/dump is always a good idea prior to any update.

CREDITS
This exploit has been originally found by Klavs Klavsen and the Security Forum Denmark 
(sikkerhedsforum.dk) and has been reported on 2003-12-10.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC