BosDev BosDates SQL Injection Vulnerability
BID:9639
Info
BosDev BosDates SQL Injection Vulnerability
| Bugtraq ID: | 9639 |
| Class: | Input Validation Error |
| CVE: |
CVE-2004-0275 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 11 2004 12:00AM |
| Updated: | Jul 12 2009 02:06AM |
| Credit: | Discovery of this issue has been credited to G00db0y. |
| Vulnerable: |
BosDev BosDates 3.2 BosDev BosDates 3.1 BosDev BosDates 3.0 |
| Not Vulnerable: | |
Discussion
BosDev BosDates SQL Injection Vulnerability
An SQL injection vulnerability has been reported to affect BosDates calendar system. The issue arises due to insufficient sanitization of user supplied data. As a result of this issue an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information.
An SQL injection vulnerability has been reported to affect BosDates calendar system. The issue arises due to insufficient sanitization of user supplied data. As a result of this issue an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information.
Exploit / POC
BosDev BosDates SQL Injection Vulnerability
No exploit is required to leverage this issue. the following proof of concept has been provided:
http://www.example.com/directory/calendar_download.php?calendar=[query]
No exploit is required to leverage this issue. the following proof of concept has been provided:
http://www.example.com/directory/calendar_download.php?calendar=[query]
Solution / Fix
BosDev BosDates SQL Injection Vulnerability
Solution:
A patch has been released by the vendor. It is advised that customers apply the patch immediately. For more information on obtaining the patch, please see the reference section and contact the vendor for details.
Solution:
A patch has been released by the vendor. It is advised that customers apply the patch immediately. For more information on obtaining the patch, please see the reference section and contact the vendor for details.