search menu icon-carat-right cmu-wordmark

CERT Coordination Center

PhpWebSite calendar module contains a SQL injection vulnerability

Vulnerability Note VU#925166

Original Release Date: 2004-10-19 | Last Revised: 2004-10-19

Overview

The PhpWebSite contains an SQL injection vulnerability that may allow malicious users to execute SQL queries on a server with the privileges of the PhpWebSite administrator.

Description

PhpWebSite is an open-source web content management system that includes a web-based calendar module to let users to create, post, and view events on a PhpWebSite managed site. By default users must have requests for new events approved by a site administrator before they are added to the calendar. However, lack of input validation of the cal_template variable may allow malicious users to inject a SQL query into the new event. If a site administrator approves the event the SQL query will be executed.

Impact

A remote attacker may be able to execute SQL queries on a server with the privileges of a PhpWebSite administrator.

Solution

Apply a Patch

PhpWebsite has released a patch to address this issue available at: http://www.phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch.tar.gz.

Vendor Information

925166
 

Appalachian State University Affected

Updated:  October 19, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Appalachian State University released an announcement regarding this issue available at:

http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=822

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was publicly reported by GulfTech Security.

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2003-0735
Severity Metric: 0.20
Date Public: 2004-08-31
Date First Published: 2004-10-19
Date Last Updated: 2004-10-19 20:44 UTC
Document Revision: 131

Sponsored by CISA.