CERTVU:925166PhpWebSite calendar module contains a SQL injection vulnerability
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
68.0%
Overview
The PhpWebSite contains an SQL injection vulnerability that may allow malicious users to execute SQL queries on a server with the privileges of the PhpWebSite administrator.
Description
PhpWebSite is an open-source web content management system that includes a web-based calendar module to let users to create, post, and view events on a PhpWebSite managed site. By default users must have requests for new events approved by a site administrator before they are added to the calendar. However, lack of input validation of the cal_template variable may allow malicious users to inject a SQL query into the new event. If a site administrator approves the event the SQL query will be executed.
Impact
A remote attacker may be able to execute SQL queries on a server with the privileges of a PhpWebSite administrator.
Solution
Apply a Patch
PhpWebsite has released a patch to address this issue available at: http://www.phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch.tar.gz.
Vendor Information
925166
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Appalachian State University __ Affected
Updated: October 19, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Appalachian State University released an announcement regarding this issue available at:
http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=822
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23925166 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.gulftech.org/?node=research&article_id=00048-08312004
- <http://www.securitytracker.com/alerts/2004/Aug/1011120.html>
- <http://www.securityfocus.com/archive/1/332561>
- <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0735>
- http://marc.theaimsgroup.com/?l=bugtraq&m=106062021711496&w=2
- <http://www.osvdb.org/displayvuln.php?osvdb_id=9444>
- [http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=822 ](<http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=822 >)
Acknowledgements
This vulnerability was publicly reported by GulfTech Security.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2003-0735 |
|---|---|
| Severity Metric: | 0.20 Date Public: |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0735
marc.theaimsgroup.com/?l=bugtraq&m=106062021711496&w=2
www.gulftech.org/?node=research&article_id=00048-08312004
www.osvdb.org/displayvuln.php?osvdb_id=9444
www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=822
www.securityfocus.com/archive/1/332561
www.securitytracker.com/alerts/2004/Aug/1011120.html
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
68.0%