Welcome, Guest! Log In | Create Account

Donate Share

WebCalendar

The forum address has changed, you have been automatically redirected. Please update any bookmarks to use the new URL.

Subscribe

Vulnerability?

Add A Reply
  1. jakari

    2005-11-28 19:31:58 UTC
    This just hit Bugtraq:
    http://www.ush.it/2005/11/28/webcalendar-multiple-vulnerabilities/
  2. cknudsenProject AdminAccepting Donations

    2005-11-28 20:51:37 UTC
    I got an email for this over the holiday weekend. Nice for them to wait for us to fix it before publishing it.

    This report applies to 1.0.1.

    We will have a fix for this in CVS very quickly and 1.0.2 release will be made to include the fix(es).

    Announcements that relate to this will be send to the webcalendar announce mailing list. If you are not subsribed, use the following link (or follow the "Mail" link above):

    http://lists.sourceforge.net/lists/listinfo/webcalendar-announce
  3. cknudsenProject AdminAccepting Donations

    2005-11-28 22:10:20 UTC
    Maybe I am missing something here, but it looks to me like there is only a problem if you magic quotes off. Am I wrong here? The documentation status you need to have magic_quotes_gpc enabled.

    How does one do SQL Injection if magic_quotes_gpc are enabled? Doesn't the offending SQL text get escaped into a valid string?
  4. nobody

    2005-11-29 01:14:14 UTC
    That's what I have read on most of the forums.

    I see an issue with edit_template.php. It references connect.php as the place admin is verified...not good.

    admin_handler tests for admin...if you have admin access then SQL injection would be pointless.

    -Ray
< Previous | 1 | Next >

Add a Reply

This forum does not allow anonymous participation.

Log in to add a reply. Not registered? Create an account to participate and receive email updates when replies are posted to this topic.

About SourceForge

Find Software

Develop Software

Community

Help

Copyright © 2010 Geeknet, Inc. All rights reserved. Terms of Use