Codewalkers ltwCalendar 4.x suffers from a SQL injection vulnerability.
14c4a543df895e011a180eaa4ad6d126004f65fa383265dc4a31510315e02864
Codewalkers ltwCalendar 4.x SQL inj. vuln
Codewalkers ltwCalendar 4.x SQL inj. vuln
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://calendar.codewalkers.com/
affected version: v4.1.3 and prior
Product Description:
ltwCalendar is an event calendar programmed in PHP and currently uses mySQL as a database backend. With ltwCalendar, you can add single events or recurring events. Everything is in a very customizable layout and should be very easy to integrate with your site. Do keep in my though that my initial intent was to never release this code into the wild. I was just making this for a personal project. After I got done with it however I decided I would give it to the world.
Vuln. description:
Input passed to the "id" parameter in "calendar.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
example:
/calendar.php?display=event&id=[SQL]
Solution:
Edit the source code to ensure that input is properly sanitised.