SNS Vulnerability

SoftComplex PHP Event Calendar Multiple Input Validation Vulnerabilities

Description

Multiple vulnerabilities have been identified in SoftComplex PHP Event Calendar, which could be exploited by attackers to disclose sensitive information or manipulate certain data. These issues are caused by input validation errors in various scripts (e.g. "index.php") when processing user-supplied parameters (e.g. "page" or "err"), which could be exploited to gain knowledge of sensitive information, to overwrite arbitrary files, or to conduct cross-site scripting and request forgery attacks.

Vulnerable Products

Vulnerable Software:
SoftComplex PHP Event Calendar version 1.5 and prior

Solution

CVE

References

http://www.exploit-db.com/exploits/13988/

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL	3.2.0
Misc : Directory traversal - parameter starting with ../	3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL	3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL	3.2.0
Directory traversal using ..\..	3.2.0
XSS - Phishing : suspicious 'div' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL	3.2.0
Directory traversal	3.2.0
XSS - Phishing : suspicious 'a' tag found in URL	3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL	3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL	3.2.0
XSS - Phishing : suspicious 'form' tag found in URL	3.2.0
XSS - Prevention - GET : javascript code found in URL	3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL	3.2.0
Directory traversal backward root folder	3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL	3.2.0
XSS - Phishing : suspicious 'link' tag found in URL	3.2.0
XSS - Prevention - GET : 'script' tag found in URL	3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL	3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL	3.2.0

Risk level

Low

Vulnerability First Public Report Date

2010-06-24

Target Type

Server

Possible exploit

Local & Remote