News

---------------------------------------------------------------------------
PostCalendar Security Advisory PCSA 2004-1
Author: Andreas Krapohl
Date: January 3rd, 2004
Website: http://noc.postnuke.com/projects/postcalendar
---------------------------------------------------------------------------
VULNERABILITY
SQL injection and various missing input validations

[read extended text for more information]

RELEVANT RELEASES
4.0.0

DESCRIPTION
PostCalendar is an online events calendar. Allowing for one time or recurring events and calendar sharing with multiple categories and PostNuke topics integration.
Vulnerable versions can be exploited through SQL injection within the search function.

SOLUTION
It is recommended that all admins upgrade their sites to v4.0.1 or apply the latest security fix package for v4.0.1 available right now from the locations listed below.

REFERENCES
No references are currently available on the net.

UPDATED PACKAGES
1. PostCalendar 4.0.1 Fullpackage (.zip format)
http://noc.postnuke.com/download.php/243/postcalendar-4.0.1.zip
MD5 checksum: 85f28144f36b1487366f654f4f800830
2. PostCalendar 4.0.1 fixed files only (.zip format)
http://noc.postnuke.com/download.php/244/postcalendar-4.0.1-fixpackage.zip
MD5 checksum: 4b5fd57053c8577eeefef50cd1d19279

ADDITIONAL INSTRUCTIONS
Just replace the files contained in this patch into your PostCalendar directory to have your PC patched. Remember that a backup/dump is always a good idea prior to any update.

CREDITS
This exploit has been originally found by Klavs Klavsen and the Security Forum Denmark (sikkerhedsforum.dk) and has been reported on 2003-12-10.