Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Calendar)  >   PerlCal Vendors:   Acme Software
PerCal Web Calendar Software Allows Remote Users to View Files on the Server
SecurityTracker Alert ID:  1001450
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jun 10 2002
Original Entry Date:  Apr 28 2001
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): probably 2.96 and prior
Description:   Whizkunde released a security advisory for PerlCal, a Perl-based web calendar, warning that it may allow remote users to view files on the server.

It is reported that the "" script does not properly restrict use of ".." characters in the user-supplied URL.

As an example, a URL in the following format may allow the /etc/passwd file to be accessed by the remote user:


The vendor has reportedly been notified.

Impact:   A remote user can obtain any file on the server that is readable by the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issued Fix) Re: PerCal Web Calendar Software Allows Remote Users to View Files on the Server
The vendor issued a fixed version.

 Source Message Contents

Subject:  PerlCal (CGI) show files vulnerability

[whizkunde security advisory: PerlCal (CGI)] |

Release date: April 27th 2001

Subject: PerlCal (CGI) security problem

Systems affected: *NIX (not windows) systems running
PerlCal CGI script


1. problem of the PerlCal script may allow remote users
(website visitors) to view any file on a webserver (depending
on the user the webserver is running on).

Regard this URL:
This will display the /etc/passwd (if the webserver user has
access to this file).

2. fix
I warned the PerlCal vendor three weeks ago. After a
reaction, I gave him some time and tips to release a fix.
Because the vendor still hasn't fixed the problem and because
he didn't notice me why he hasn't released a patch yet, I
released this advisory.
I really hope the vendor will release a patch in the very
near future.
In the meantime it might be a good idea to just chmod 000
your PerlCal scripts.

Stan a.k.a. ThePike

Copyright whizkunde security team 2001


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC