PostCalendar version 4.0.0 is susceptible to SQL injection attacks via its search functionality.
1a2c7aa20973af02d5af4ed28004504abcdfe546c0885a30933405efccb5680a
---------------------------------------------------------------------------
PostCalendar Security Advisory PCSA 2004-1
Author: Andreas Krapohl
Date: January 3rd, 2004
Website: http://noc.postnuke.com/projects/postcalendar
---------------------------------------------------------------------------
VULNERABILITY
SQL injection and various missing input validations
[read extended text for more information]
RELEVANT RELEASES
4.0.0
DESCRIPTION
PostCalendar is an online events calendar. Allowing for one time or
recurring events and calendar sharing with multiple categories and
PostNuke topics integration.
Vulnerable versions can be exploited through SQL injection within the
search function.
SOLUTION
It is recommended that all admins upgrade their sites to v4.0.1 or
apply the latest security fix package for v4.0.1 available right now
from the locations listed below.
REFERENCES
No references are currently available on the net.
UPDATED PACKAGES
1. PostCalendar 4.0.1 Fullpackage (.zip format)
http://noc.postnuke.com/download.php/243/postcalendar-4.0.1.zip
MD5 checksum: 85f28144f36b1487366f654f4f800830
2. PostCalendar 4.0.1 fixed files only (.zip format)
http://noc.postnuke.com/download.php/244/postcalendar-4.0.1-fixpackage.zip
MD5 checksum: 4b5fd57053c8577eeefef50cd1d19279
ADDITIONAL INSTRUCTIONS
Just replace the files contained in this patch into your PostCalendar
directory to have your PC patched. Remember that a backup/dump is
always a good idea prior to any update.
CREDITS
This exploit has been originally found by Klavs Klavsen and the
Security Forum Denmark (sikkerhedsforum.dk) and has been reported on
2003-12-10.