Lorenzo Hernandez Garcia-Hierro

Name of the Vulnerable Software and Affected Versions: phpWebSite versions 0.9.x and earlier Description: A SQL injection issue in the Calendar module allows remote attackers to execute arbitrary SQL queries. This can be demonstrated using the `year` parameter. Recommendations: For phpWebSite versions 0.9.x and earlier, avoid using the `year` parameter in the affected Calendar module until a fix is available. As a temporary workaround, consider restricting access to the Calendar module to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: phpWebSite versions 0.9.x and earlier Description: The issue allows remote attackers to execute arbitrary web script. This can be achieved via several parameters, including the `day` parameter in the "calendar" module, the `fatcat id` parameter in the "fatcat" module, the `PAGE id` parameter in the "pagemaster" module, and the `PDA limit` parameter in the "search" module. Other parameters in the "calendar", "fatcat", and "pagemaster" modules may also be vulnerable. Recommendations: For phpWebSite versions 0.9.x and earlier, consider disabling the calendar, fatcat, and pagemaster modules until a patch is available. Restrict access to the search module to minimize the risk of exploitation. Avoid using the parameters `day`, `fatcat id`, `PAGE id`, and `PDA limit` in their respective modules until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: phpWebSite versions 0.9.x and earlier Description: The issue allows remote attackers to obtain the full pathname of phpWebSite by exploiting the calendar module with an invalid year. This generates an error from the localtime() function in TimeZone.php of the Pear library. Recommendations: For phpWebSite versions 0.9.x and earlier, consider restricting access to the calendar module until a fix is available. As a temporary workaround, avoid using the calendar module with invalid years to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: phpWebSite versions 0.9.x and earlier Description: The issue allows remote attackers to cause a denial of service via a long `year` parameter in the calendar module. Recommendations: For phpWebSite versions 0.9.x and earlier, consider restricting access to the calendar module until a patch is available. As a temporary workaround, avoid using the calendar module with untrusted input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.