[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Aleris Software Systems Web Publisher Calendar SQL injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Aleris Software Systems Web Publisher Calendar SQL injection
From: Joseph.giron13@xxxxxxxxx
Date: 23 Oct 2007 22:04:48 -0000


http://www.alerisdata.com/articles/home.asp

There exists an SQL injection vulnerability within the calendar section of a 
Aleris Software Systems web publisher. It seems thats Aleris uses this same 
calendar with every site they make that utilizes the publisher.

www.example.com/calendar/page.asp?mode=1%20union%20all%20select%201,2,3,4,5,6%20FROM%20users--

I reported this to aleris and am awaiting a response. No fix yet.

Prev by Date: HPSBMA02279 SSRT071298 rev.1 - HP OpenView Configuration Management (CM) Infrastructure (Radia) and Client Configuration Manager (CCM) Running httpd.tkd, Remote Unauthorized Access to Data
Next by Date: [Aria-Security.Net] CodeWidgets.Com Online Event Registration Multiple login SQL Injection
Previous by thread: HPSBMA02279 SSRT071298 rev.1 - HP OpenView Configuration Management (CM) Infrastructure (Radia) and Client Configuration Manager (CCM) Running httpd.tkd, Remote Unauthorized Access to Data
Next by thread: [Aria-Security.Net] CodeWidgets.Com Online Event Registration Multiple login SQL Injection
Index(es):
- Date
- Thread