[VIM] ltwCalendar = PHP Event Calendar, and vendor ACK

Steven M. Christey coley at mitre.org
Fri Dec 1 19:18:12 EST 2006 

See details below.  Looks like many of us wound up with duplicates.

Note that the CONFIRM has a couple more security issues that haven't
been picked up by VDBs.

- Steve


======================================================
Name: CVE-2005-4011
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4011
Acknowledged: yes changelog
Announced: 20051129
Flaw: sql-inject
Reference: BUGTRAQ:20060622 Calendar ( Provided by Codewalkers ) - SQL Injection
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/438232/100/0/threaded
Reference: BUGTRAQ:20060627 Re: Calendar ( Provided by Codewalkers ) - SQL Injection
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/438580/100/0/threaded
Reference: MISC:http://pridels.blogspot.com/2005/11/codewalkers-ltwcalendar-4x-sql-inj.html
Reference: MISC:http://www.Silitix.com/calendar-cws.php
Reference: CONFIRM:http://ltwcalendar.sourceforge.net/changelog.php
Reference: BID:15636
Reference: URL:http://www.securityfocus.com/bid/15636
Reference: BID:18593
Reference: URL:http://www.securityfocus.com/bid/18593
Reference: FRSIRT:ADV-2005-2652
Reference: URL:http://www.frsirt.com/english/advisories/2005/2652
Reference: OSVDB:21195
Reference: URL:http://www.osvdb.org/21195
Reference: OSVDB:27539
Reference: URL:http://www.osvdb.org/27539
Reference: SECTRACK:1016364
Reference: URL:http://securitytracker.com/id?1016364
Reference: SECUNIA:17799
Reference: URL:http://secunia.com/advisories/17799
Reference: XF:itwcalendar-calendar-sql-injection(23312)
Reference: URL:http://xforce.iss.net/xforce/xfdb/23312
Reference: XF:phpeventcalendar-calendar-sql-injection(27362)
Reference: URL:http://xforce.iss.net/xforce/xfdb/27362

SQL injection vulnerability in calendar.php in Codewalkers ltwCalendar
(aka PHP Event Calendar) 4.2, 4.1.3, and earlier allows remote
attackers to execute arbitrary SQL commands via the id parameter.


Analysis:
ACCURACY: product's home page (http://ltwcalendar.sourceforge.net/)
refers to the product as "ltwCalendar - PHP Event Calendar" and it has
been called by both names on occasion.  Multiple disclosures have used
different names.

ACKNOWLEDGEMENT: vendor changelog for 4.2.1 says "BUG FIX: Fixed a
known SQL injection vulnerability relating to the 'id' tag."

More information about the VIM mailing list