Hi,

Just come across a security advisory about GCalendar2.14.
Any comments on this? Advice of how to fix the issue?



DESCRIPTION: A vulnerability has been discovered in the GCalendar component for Joomla, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed via the "gcid" parameter to index.php (when "option" is set to "com_gcalendar" and "view" is set to "event") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is confirmed in version 2.1.4. Other versions may also be affected.

I wasn't aware of this

the fix will come soon.....

here is the fix, hope it helps...
code.google.com/p/joomla-gcalendar/sourc...dar/admin/dbutil.php

I couldn't reproduce the problem....do you have some steps to reproduce the problem?

sorry, I haven't reproduced it yet - I'm no expert on sql injections so I probably won't be trying to do it.

However, I appreciate the fix you have provided and hope that will do the trick.
Thanks!

the following file can be extracted in the root of the joomla installation, it should fix it......