Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18276
HistoryOct 24, 2007 - 12:00 a.m.

Aleris Software Systems Web Publisher Calendar SQL injection

2007-10-2400:00:00
vulners.com
22

http://www.alerisdata.com/articles/home.asp

There exists an SQL injection vulnerability within the calendar section of a Aleris Software Systems web publisher. It seems thats Aleris uses this same calendar with every site they make that utilizes the publisher.

www.example.com/calendar/page.asp?mode=1%20union%20all%20select%201,2,3,4,5,6%20FROM%20users–

I reported this to aleris and am awaiting a response. No fix yet.