PHP Planner SQL Injection Vulnerability , Discovered by N_A , 
N_A[at]tutanota.com
=================================================================================




Description
===========

This is a basic PHP Calendar with lots of features and possiblities. Uses 
mySQL as backend and is fitted with an account based system


https://sourceforge.net/projects/phpplanner





Vulnerability
=============


An SQL Injection vulnerability is present within the register.php file of the 
package which results in arbitary command execution.


register.php, snippet of vulnerable code:
=========================================




if (isset($_POST['Submit'], $_POST['email'], $_POST['username'], 
$_POST['password'], $_POST['password2'], $_POST['name']) && 
IsEmailValid($_POST['email'])) {
A A A  A A A  $SQL = mysql_query("SELECT * FROM cal_users WHERE username = '". 
$_POST['username'] ."' OR password = '". MD5($_POST['password']) ."' OR email 
= '". $_POST['email'] ."'");




As we can see the 'username','password' and 'email' variables are passed 
unchecked into the SQL query via the POST method.




email ==> N_A[at]tutanota.com