[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WebCalendar <= 1.2.4 Two Security Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WebCalendar <= 1.2.4 Two Security Vulnerabilities
From: n0b0d13s@xxxxxxxxx
Date: Mon, 23 Apr 2012 19:02:26 GMT

 -------------------------------------------------
 WebCalendar <= 1.2.4 Two Security Vulnerabilities
 -------------------------------------------------
 
 author..........: Egidio Romano aka EgiX
 mail............: n0b0d13s[at]gmail[dot]com
 software link...: https://sourceforge.net/projects/webcalendar/


 [-] vulnerable code in /install/index.php (CVE-2012-1495)

 674.    $y = getPostValue ( 'app_settings' );
 675.    if ( ! empty ( $y ) ) {
 676.      $settings['single_user_login'] = getPostValue ( 
'form_single_user_login' );
 677.      $settings['readonly'] = getPostValue ( 'form_readonly' );
 ...
 724.      // Save settings to file now.
 725.    if ( ! empty ( $x ) || ! empty ( $y ) ){
 726.      $fd = @fopen ( $file, 'w+b', false );
 727.      if ( empty ( $fd ) ) {
 728.        if ( @file_exists ( $file ) ) {
 729.          $onloadDetailStr =
 730.            translate ( 'Please change the file permissions of this file', 
true );
 731.        } else {
 732.          $onloadDetailStr =
 733.            translate ( 'Please change includes dir permission', true );
 734.        }
 735.        $onload = "alert('" . $errorFileWriteStr . $file. "\\n" .
 736.          $onloadDetailStr . ".');";
 737.      } else {
 738.        if ( function_exists ( "date_default_timezone_set" ) )
 739.          date_default_timezone_set ( "America/New_York");
 740.        fwrite ( $fd, "<?php\r\n" );
 741.        fwrite ( $fd, '/* updated via install/index.php on ' . date ( 'r' 
) . "\r\n" );
 742.        foreach ( $settings as $k => $v ) {
 743.          if ( $v != '<br />' && $v != '' )
 744.          fwrite ( $fd, $k . ': ' . $v . "\r\n" );
 745.        }
 
 Restricted access  to this script isn't  properly realized,  so an attacker 
might be able
 to  update  /includes/settings.php  with arbitrary  values  or  inject PHP 
code  into it.
 
 
 [-] vulnerable code to LFI in /pref.php (CVE-2012-1496)
  
 70.    if ( ! empty ( $_POST ) && empty ( $error )) {
 71.      $my_theme = '';
 72.      $currenttab = getPostValue ( 'currenttab' );
 73.      save_pref ( $_POST, 'post' );
 74. 
 75.      if ( ! empty ( $my_theme ) ) {
 76.        $theme = 'themes/'. $my_theme . '_pref.php';
 77.        include_once $theme;
 78.        save_pref ( $webcal_theme, 'theme' );
 79.      }
 
 Input passed through $_POST['pref_THEME'] isn't properly sanitized  before 
being assigned
 to $my_theme variable, this can be exploited to include arbitrary local files 
at line 77.
 Exploitation  of this  vulnerability requires  authentication and 
magic_quotes_gpc = off.
 
 
 [-] Disclosure timeline:
 
 [02/10/2011] - Vulnerabilities discovered
 [04/10/2011] - Vendor notified to 
http://sourceforge.net/support/tracker.php?aid=3418570
 [20/02/2012] - First vendor response
 [28/02/2012] - Vendor fix committed to CVS
 [29/02/2012] - Version 1.2.5 released
 [02/03/2012] - CVE numbers requested
 [02/03/2012] - Assigned CVE-2012-1495 and CVE-2012-1496
 [23/04/2012] - Public disclosure

Prev by Date: AST-2012-006: Remote Crash Vulnerability in SIP Channel Driver
Next by Date: FYI: We're now paying up to $20,000 for web vulns in our services
Previous by thread: AST-2012-006: Remote Crash Vulnerability in SIP Channel Driver
Next by thread: FYI: We're now paying up to $20,000 for web vulns in our services
Index(es):
- Date
- Thread