CVE-2006-0610

An attacker can send a crafted HTTP request to `calendar.php` with a malicious `fm_data[id]` parameter containing SQL metacharacters to execute arbitrary SQL commands. For authentication bypass, the attacker submits a login request to `admin.php?ad=login` with a username value such as `' or 1/*` and any password, which injects into the `$ad['acc']` variable and subverts the authentication query. Both attacks require `magic_quotes_gpc` to be disabled [ref_id=1][ref_id=2].

The SQL injection occurs in `program/calendar/calendar.php` via the `fm_data[id]` parameter, and the authentication bypass is in `class/classlogin/adminlogin.php` via the `$ad['acc']` variable. Both scripts fail to sanitize user-supplied input before constructing SQL queries [ref_id=1][ref_id=2].

No patch is available from the vendor. The advisory states the developer(s) did not reply and no solution has been released [ref_id=1][ref_id=2]. To remediate, the application must properly escape or parameterize the `fm_data[id]` and `$ad['acc']` variables before including them in SQL queries, or enable `magic_quotes_gpc` as a partial mitigation.