Document Title: =============== Eventy CMS v1.8 Plus - Multiple Web Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=756 Release Date: ============= 2012-11-13 Vulnerability Laboratory ID (VL-ID): ==================================== 756 Common Vulnerability Scoring System: ==================================== 8.3 Product & Service Introduction: =============================== Publish Your Events In Online Calendar. Eventy Is Beautiful And Easy To Use Web Based Event Calendar Software Publish events like parties, courses, meetings, conferences, workshops, and more in easy and user-friendly way. Eventy Plus adds features like mailing lists, multi-administrator interface, switchable weekly/monthly view, event categories, and rich text editor. Use Eventy or Eventy Plus for your company website, freelancer`s blog, club site, online school, or to show your consulting availability. Eventy uses Ajax and runs on web hosts with PHP and MySQL. (Copy of the Vendor Homepage: http://calendarscripts.info/event-calendar-software.html ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Eventy CMS v1.8 Plus. Vulnerability Disclosure Timeline: ================================== 2012-11-13: Public or Non-Public Disclosure Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A SQL Injection vulnerability is detected in the Eventy CMS v1.8 Plus ,web based event calendar software. The vulnerability allows an attacker (remote) or local low privileged user account to execute a SQL commands on the affected application dbms. The sql injection vulnerability is located in eventy.php file with the bound vulnerable event_id parameter. Successful exploitation of the vulnerability results in dbms & application compromise. Exploitation requires no user interaction & without privileged user account. Vulnerable File(s): [+] eventy.php Vulnerable Parameter(s): [+] event_id 1.2 A persistent input validation vulnerability is detected in the Eventy CMS v1.8 Plus ,web based event calendar software. The bug allows remote attackers to implement/inject malicious script code on the application-side (persistent). The persistent vulnerabilities is located in the the add Event module bound vulnerable Event Title and Event Location parameters. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action & privileged web application user account. Vulnerable Module(s): [+] Add Event Vulnerable Parameter(s): [+] Event Title - Event Location 1.3 A non-persistent cross site scripting vulnerability is detected in the Eventy CMS v1.8 Plus ,web based event calendar software. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. The vulnerability is located in the eventy.php page the bound vulnerable selyear and selmonth parameter. Successful exploitation of the vulnerability result in account steal, client site phishing or client-side content request manipulation. Vulnerable File(s): [+] eventy.php Vulnerable Parameter(s): [+] selyear - selmonth Proof of Concept (PoC): ======================= 1.1 The SQL injection vulnerability can be exploited by remote attackers without privileged application user accounr and without required user inter action. For demonstration or reproduce ... PoC: SQL Injection Vulnerability - PoC , in the field Event Title - Event Location Fields. When the admin or any other user view the event the code gets executed. Reference(s): http://eventy.127.0.0.1:8080/eventy-plus/eve_edit.php?m=November&y=2012&d=20 1.3 PoC: Client side - Cross Site Scripting