[VIM] Re: Confirmation of BosDates vulnerability? (fwd)

Steven M. Christey coley at linus.mitre.org
Tue Nov 29 23:07:08 EST 2005 

Re: http://pridels.blogspot.com/2005/11/bosdates-v40-sql-vuln.html
(CVE-2005-3911)

The BosDates developer apparently left an acknowledgement on r0t's blog,
so I asked him to confirm and he did.  See below.

- Steve


---------- Forwarded message ----------
Date: Tue, 29 Nov 2005 21:53:08 -0600
From: Don Boston <XXXXXX at bosdev.com>
To: Steven M. Christey <coley at mitre.org>
Subject: Re: Confirmation of BosDates vulnerability?

At 09:27 PM 11/29/2005, you wrote:

>Is this the case?  Has the issue been fixed?  I could not find
>information on your web site.

Yes, I sent out a mass email to all of my clients who use the product to
inform them of the corrected calendar.php file.

A copy of the email is below:
----------------------------------------------------------------------------------------

To: XXXXXX at bosdev.com
Subject: BosDev - BosDate Security Issue
From: announcements at bosdev.com
Date: Tue, 29 Nov 2005 11:13:52 -0500


SECURITY NOTICE FOR BOSDATES 4.X

Thank you for taking the time to read my email, I know how busy you are and
I appreciate your time.

A security flaw has been discovered in BosDates version 4.x which can
potentially open the system to malicious SQL injections.

The report:
"r0t has reported two vulnerabilities in BosDates, which can be exploited
by malicious people to conduct SQL injection attacks.

Input passed to the "year" and "category" parameters in "calendar.php"
isn't properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code."

We have released a patch for this issue, to correct it.  The issue was
first discovered on the 25th of this month, and reported today.  BosDev
immediately fixed the issue and now suggests you upgrade your calendar script.

To obtain the latest build, simply login to our downloads section at
http://www.bosdev.com/download/

Once you have downloaded the package, upload the /calendar.php file to your
calendar directory.

There have been no reported attacks on any customer sites at this time.





Do not reply to this message, it will go to a non-existant account.  Please
feel free to send any comments to support at bosdev.com instead.

-------------------------------------------------------------------------------------------

Thank you for following up on this issue.


Don Boston
http://www.bosdev.com

More information about the VIM mailing list