Janek Vind "waraxe" has reported a vulnerability in Event Calendar, allowing malicious people to conduct cross-site scripting, script insertion and SQL injection attacks.

1) Path information can be disclosed in error pages by passing invalid input or accessing scripts directly.

Examples:
Calendar/config.php
Calendar/index.php
Calendar/submit.php

2) Input passed to various parameters isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

Examples:
modules.php?name=Calendar&file=submit&type=[code]
modules.php?name=Calendar&file=submit&op2=Preview&day=[code]
modules.php?name=Calendar&file=submit&op2=Preview&month=[code]
modules.php?name=Calendar&file=submit&op2=Preview&year=[code]
modules.php?name=Calendar&file=submit&op2=Preview&type=[code]

3) Comments aren't sanitised before being stored. This can be exploited to execute arbitrary script code in a user's browser session in context of an affected website when a an event with malicious comments is viewed.

4) Input passed to the "eid", "cid" and possibly other parameters isn't properly verified before it is used in a SQL query. This can be exploited to manipulate SQL queries.

Version 2.13 has been reported vulnerable. Other versions may also be vulnerable.

Solution
Edit the source code to ensure that input is properly sanitised.
Further details available to Secunia VIM customers

Provided and/or discovered by
Janek Vind "waraxe"

Changelog
Further details available to Secunia VIM customers

Original Advisory
http://www.waraxe.us/index.php?modname=sa&id=38

Deep Links
Links available to Secunia VIM customers