Overview
The PhpWebSite contains an SQL injection vulnerability that may allow malicious users to execute SQL queries on a server with the privileges of the PhpWebSite administrator.
Description
PhpWebSite is an open-source web content management system that includes a web-based calendar module to let users to create, post, and view events on a PhpWebSite managed site. By default users must have requests for new events approved by a site administrator before they are added to the calendar. However, lack of input validation of the cal_template variable may allow malicious users to inject a SQL query into the new event. If a site administrator approves the event the SQL query will be executed. |
Impact
A remote attacker may be able to execute SQL queries on a server with the privileges of a PhpWebSite administrator. |
Solution
Apply a Patch PhpWebsite has released a patch to address this issue available at: http://www.phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch.tar.gz. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.gulftech.org/?node=research&article_id=00048-08312004
- http://www.securitytracker.com/alerts/2004/Aug/1011120.html
- http://www.securityfocus.com/archive/1/332561
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0735
- http://marc.theaimsgroup.com/?l=bugtraq&m=106062021711496&w=2
- http://www.osvdb.org/displayvuln.php?osvdb_id=9444
- http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=822
Acknowledgements
This vulnerability was publicly reported by GulfTech Security.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2003-0735 |
| Severity Metric: | 0.20 |
| Date Public: | 2004-08-31 |
| Date First Published: | 2004-10-19 |
| Date Last Updated: | 2004-10-19 20:44 UTC |
| Document Revision: | 131 |