SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Calendar)  >   ASP Inline Corporate Calendar Vendors:   aaronoutpost.com
ASP Inline Corporate Calendar Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1013884
SecurityTracker URL:  http://securitytracker.com/id/1013884
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jun 27 2005
Original Entry Date:  May 4 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  

Description:   Zinho reported an input validation vulnerability in ASP Inline Corporate Calendar. A remote user can inject SQL commands.

The 'defer.asp' and 'details.asp' scripts do not properly validate user-supplied input. A remote user can submit specially crafted parameter values to execute SQL commands on the underlying database.

Some demonstration exploit URLs are provided:

Calendar/defer.asp?Event_ID='&Occurr_ID=0

Calendar/details.asp?Event_ID='

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   The vendor has issued a fix.
Vendor URL:  www.aaronoutpost.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [HSC Security Group] ASP Inline Corporate Calendar SQL injection


Hackers Center Security Group (http://www.hackerscenter.com/)        
Zinho's Security Advisory         

Desc: SQL injection : ASP Inline Corporate Calendar
Risk: Medium

The Corporate Calendar is a nice asp script to manage a calendar shared by users. It 
has been downloaded by thousands people, and it is considered one of the most 
successful asp script at hotscripts.com

Multiple sql injections affect ASP Inline Corporate Calendar:

POC:

Calendar/defer.asp?Event_ID='&Occurr_ID=0
or
Calendar/details.asp?Event_ID='


Vendor has been contacted 10 days ago. Noone replied.



Author:         
Zinho is webmaster and founder of http://www.hackerscenter.com ,      
Security research   portal       
Secure Web Hosting Companies Reviewed:      
http://www.securityforge.com/web-hosting/secure-web-hosting.asp      

zinho-no-spam @ hackerscenter.com

====>
Webmaster of
.:[ Hackers Center : Internet Security Portal]:.
http://www.hackerscenter.com
http://www.securityforge.com/web-hosting
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC