SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Calendar)  >   PerlCal Vendors:   Acme Software
(Vendor Issued Fix) Re: PerCal Web Calendar Software Allows Remote Users to View Files on the Server
SecurityTracker Alert ID:  1004498
SecurityTracker URL:  http://securitytracker.com/id/1004498
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 10 2002
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): probably 2.96 and prior
Description:   Whizkunde released a security advisory for PerlCal, a Perl-based web calendar, warning that it may allow remote users to view files on the server.

It is reported that the "cal_make.pl" script does not properly restrict use of ".." characters in the user-supplied URL.

As an example, a URL in the following format may allow the /etc/passwd file to be accessed by the remote user:

http://[targethost]/cgi-bin/cal_make.pl?p0=../../../../../../../../../../../../etc/passwd%00

The vendor has reportedly been notified.

Impact:   A remote user can obtain any file on the server that is readable by the web server.
Solution:   The vendor issued a fixed version (2.97) approximately one year ago. The current version is 2.99.

To obtain a fixed version, see:

http://www.perlcal.com/licenses.htm

Vendor URL:  www.perlcal.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 28 2001 PerCal Web Calendar Software Allows Remote Users to View Files on the Server



 Source Message Contents

Subject:  Report of security bug fix


The vendor has submitted the following message:


Concerning:

"PerCal Web Calendar Software Allows Remote Users to
View Files on the Server":

This security hole has been fixed for about a year.
Clients and Whizkunde were notified at the time.

Solution was to strip ../ from particular variables
and to s/\0//g; all form variables.

Security hole did not allow reading of any file --
only of files readable by the Web server.

Please update your site and notify any sites sharing
your data.

Thank you.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC