WebCalendar Allows Remote Users to Execute PHP Commands on the Server Without Authentication
SecurityTracker Alert ID: 1001413|
SecurityTracker URL: http://securitytracker.com/id/1001413
(Links to External Site)
Date: Apr 23 2001
Execution of arbitrary code via network|
Version(s): WebCalendar 0.9.26; possibly others|
Secure Reality issued an advisory for WebCalendar, a PHP-based multi-user web calendar system, warning that it allows a remote user to execute commands on the server.|
The advisory reports that versions prior to 0.9.26 are almost certainly vulnerable but have not been tested.
A remote user could execute PHP commands on the server without authentication.|
No vendor solution was available at the time of this entry. However, the advisory points to a patch prepared by Security Reality -- see the source message for details.|
Vendor URL: webcalendar.sourceforge.net/ (Links to External Site)
Access control error|
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: (SRPRE00004) WebCalendar 0.9.26|
Secure Reality Pty Ltd. Security Pre-Advisory #4 (SRPRE00004)
Remote command execution vulnerabilities in WebCalendar
This is a pre-release. This vulnerability will be discussed in detail during
Shaun Clowes' speech at the Black Hat briefings in Asia in the week of the
23rd of April. A full advisory will be issued following the conference
All prior versions are almost certainly vulnerable but not tested
Remote command execution by unauthenticated remote users
The Authors have not yet been able to correct the issues in mainstream
versions. SecureReality is providing patches for the problems, no liability
for the performance or effectiveness of these patches is accepted.
Users of earlier versions are advised to upgrade to the versions specified
then apply the patches.
To apply the patches:
- cd to the directory in which the application files are stored (e.g
- run 'patch -p0 < *Path to patch file*'
Advice, directions and instructions on security vulnerabilities in this
advisory do not constitute: an endorsement of illegal behavior; a guarantee
that protection measures will work; an endorsement of any product or
solution or recommendations on behalf of Secure Reality Pty Ltd. Content is
provided as is and Secure Reality Pty Ltd does not accept responsibility for
any damage or injury caused as a result of its use.