PHP Planner SQL Injection Vulnerability , Discovered by N_A ,
N_A[at]tutanota.com
=================================================================================
Description
===========
This is a basic PHP Calendar with lots of features and possiblities. Uses
mySQL as backend and is fitted with an account based system
https://sourceforge.net/projects/phpplanner
Vulnerability
=============
An SQL Injection vulnerability is present within the register.php file of the
package which results in arbitary command execution.
register.php, snippet of vulnerable code:
=========================================
if (isset($_POST['Submit'], $_POST['email'], $_POST['username'],
$_POST['password'], $_POST['password2'], $_POST['name']) &&
IsEmailValid($_POST['email'])) {
A A A A A A $SQL = mysql_query("SELECT * FROM cal_users WHERE username = '".
$_POST['username'] ."' OR password = '". MD5($_POST['password']) ."' OR email
= '". $_POST['email'] ."'");
As we can see the 'username','password' and 'email' variables are passed
unchecked into the SQL query via the POST method.
email ==> N_A[at]tutanota.com