New eVuln Advisory: Benders Calendar SQL Injection http://evuln.com/vulns/30/summary/bt/ --------------------Summary---------------- Software: Benders Calendar Sowtware's Web Site: http://sourceforge.net/projects/benderscalendar/ Versions: 1.0 Critical Level: Harmless Type: SQL Injection Class: Remote Status: Unpatched Exploit: Available Solution: Not Available Discovered by: Aliaksandr Hartsuyeu (eVuln.com) eVuln ID: EV0030 -----------------Description--------------- All user-defined variables isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code. Condition: gpc_magic_quotes: off --------------Exploit---------------------- "Year" "Month" or "Day" value: 999' union select 1,2,3,4,5,6/* --------------Solution--------------------- No Patch available. --------------Credit----------------------- Discovered by: Aliaksandr Hartsuyeu (eVuln.com)