[38711] in bugtraq
[HSC Security Group] ASP Inline Corporate Calendar SQL injection
daemon@ATHENA.MIT.EDU (Zinho)
Thu May 5 11:28:32 2005
Date: 3 May 2005 16:39:32 -0000
Message-ID: <20050503163932.13035.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Zinho <zinho@hackerscenter.com>
To: bugtraq@securityfocus.com
Hackers Center Security Group (http://www.hackerscenter.com/)
Zinho's Security Advisory
Desc: SQL injection : ASP Inline Corporate Calendar
Risk: Medium
The Corporate Calendar is a nice asp script to manage a calendar shared by users. It has been downloaded by thousands people, and it is considered one of the most successful asp script at hotscripts.com
Multiple sql injections affect ASP Inline Corporate Calendar:
POC:
Calendar/defer.asp?Event_ID='&Occurr_ID=0
or
Calendar/details.asp?Event_ID='
Vendor has been contacted 10 days ago. Noone replied.
Author:
Zinho is webmaster and founder of http://www.hackerscenter.com ,
Security research portal
Secure Web Hosting Companies Reviewed:
http://www.securityforge.com/web-hosting/secure-web-hosting.asp
zinho-no-spam @ hackerscenter.com
