icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

PHP-Calendar < 0.10.3 includes/search.php SQL Injection

High

Synopsis

The remote web server contains a script that is vulnerable to a SQL injection attack.

Description

The remote host is running PHP-Calendar, a web-based calendar application written in PHP. This version of PHP-Calendar is vulnerable to a remote SQL injection attack. Specifically, the search.php script fails to parse out SQL-reserved characters and would allow a remote attacker to read or write data as well as potentially execute arbitrary code on the remote database.

Solution

Upgrade to version 0.10.3 or higher.