Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

PHP-Calendar < 0.10.3 includes/search.php SQL Injection

High

Synopsis

The remote web server contains a script that is vulnerable to a SQL injection attack.

Description

The remote host is running PHP-Calendar, a web-based calendar application written in PHP. This version of PHP-Calendar is vulnerable to a remote SQL injection attack. Specifically, the search.php script fails to parse out SQL-reserved characters and would allow a remote attacker to read or write data as well as potentially execute arbitrary code on the remote database.

Solution

Upgrade to version 0.10.3 or higher.