PT-2006-1667 · 2200Net · 2200Net Calendar System

Aliaksandr Hartsuyeu

Publicado

2006-02-09

Atualizado

2018-10-19

CVE-2006-0610

CVSS v2.0

7.5

Alta

Vetor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions 2200net Calendar system version 1.2

Description The issue allows remote attackers to execute arbitrary SQL commands and bypass authentication. This can be achieved via two methods:

The fm data[id] parameter to "calendar.php"
The $ad['acc'] variable in "adminlogin.php", when gpc magic quotes is disabled.

Recommendations For 2200net Calendar system version 1.2, consider disabling the gpc magic quotes disabled feature or restricting access to "calendar.php" and "adminlogin.php" until a patch is available. Avoid using the fm data[id] parameter in "calendar.php" and the $ad['acc'] variable in "adminlogin.php" to minimize the risk of exploitation.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Identificadores relacionados

CVE-2006-0610

Produtos afetados

2200Net Calendar System

PT-2006-1667 · 2200Net · 2200Net Calendar System

CVE-2006-0610

Identificadores relacionados

Produtos afetados

Referências · 11