Menu

Vulnerability?

2005-11-28
2013-01-15
  • Jameel Akari

    Jameel Akari - 2005-11-28
     
    • Craig Knudsen

      Craig Knudsen - 2005-11-28

      I got an email for this over the holiday weekend.  Nice for them to wait for us to fix it before publishing it.

      This report applies to 1.0.1.

      We will have a fix for this in CVS very quickly and 1.0.2 release will be made to include the fix(es).

      Announcements that relate to this will be send to the webcalendar announce mailing list.  If you are not subsribed, use the following link (or follow the "Mail" link above):

      http://lists.sourceforge.net/lists/listinfo/webcalendar-announce

       
    • Craig Knudsen

      Craig Knudsen - 2005-11-28

      Maybe I am missing something here, but it looks to me like there is only a problem if you magic quotes off.  Am I wrong here?  The documentation status you need to have magic_quotes_gpc enabled.

      How does one do SQL Injection if magic_quotes_gpc are enabled?  Doesn't the offending SQL text get escaped into a valid string?

       
    • Nobody/Anonymous

      That's what I have read on most of the forums.

      I see an issue with edit_template.php. It references connect.php as the place admin is verified...not good.

      admin_handler tests for admin...if you have admin access then SQL injection would be pointless.

      -Ray

       

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.