Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27995
HistoryApr 24, 2012 - 12:00 a.m.

WebCalendar <= 1.2.4 Two Security Vulnerabilities

2012-04-2400:00:00
vulners.com
19

WebCalendar <= 1.2.4 Two Security Vulnerabilities

author…: Egidio Romano aka EgiX
mail…: n0b0d13s[at]gmail[dot]com
software link…: https://sourceforge.net/projects/webcalendar/

[-] vulnerable code in /install/index.php (CVE-2012-1495)

  1. $y = getPostValue ( 'app_settings' );
  2. if ( ! empty ( $y ) ) {
  3.  $settings[&#39;single_user_login&#39;] = getPostValue &#40; &#39;form_single_user_login&#39; &#41;;
    
  4.  $settings[&#39;readonly&#39;] = getPostValue &#40; &#39;form_readonly&#39; &#41;;
    


724. // Save settings to file now.
725. if ( ! empty ( $x ) || ! empty ( $y ) ){
726. $fd = @fopen ( $file, 'w+b', false );
727. if ( empty ( $fd ) ) {
728. if ( @file_exists ( $file ) ) {
729. $onloadDetailStr =
730. translate ( 'Please change the file permissions of this file', true );
731. } else {
732. $onloadDetailStr =
733. translate ( 'Please change includes dir permission', true );
734. }
735. $onload = "alert('" . $errorFileWriteStr . $file. "\\n" .
736. $onloadDetailStr . ".');";
737. } else {
738. if ( function_exists ( "date_default_timezone_set" ) )
739. date_default_timezone_set ( "America/New_York");
740. fwrite ( $fd, "<?php\r\n" );
741. fwrite ( $fd, '/* updated via install/index.php on ' . date ( 'r' ) . "\r\n" );
742. foreach ( $settings as $k => $v ) {
743. if ( $v != '<br />' && $v != '' )
744. fwrite ( $fd, $k . ': ' . $v . "\r\n" );
745. }

Restricted access to this script isn't properly realized, so an attacker might be able
to update /includes/settings.php with arbitrary values or inject PHP code into it.

[-] vulnerable code to LFI in /pref.php (CVE-2012-1496)

  1. if ( ! empty ( $_POST ) && empty ( $error )) {
  2.  $my_theme = &#39;&#39;;
    
  3.  $currenttab = getPostValue &#40; &#39;currenttab&#39; &#41;;
    
  4.  save_pref &#40; $_POST, &#39;post&#39; &#41;;
    
  5.  if &#40; ! empty &#40; $my_theme &#41; &#41; {
    
  6.    $theme = &#39;themes/&#39;. $my_theme . &#39;_pref.php&#39;;
    
  7.    include_once $theme;
    
  8.    save_pref &#40; $webcal_theme, &#39;theme&#39; &#41;;
    
  9.  }
    

Input passed through $_POST['pref_THEME'] isn't properly sanitized before being assigned
to $my_theme variable, this can be exploited to include arbitrary local files at line 77.
Exploitation of this vulnerability requires authentication and magic_quotes_gpc = off.

[-] Disclosure timeline:

[02/10/2011] - Vulnerabilities discovered
[04/10/2011] - Vendor notified to http://sourceforge.net/support/tracker.php?aid=3418570
[20/02/2012] - First vendor response
[28/02/2012] - Vendor fix committed to CVS
[29/02/2012] - Version 1.2.5 released
[02/03/2012] - CVE numbers requested
[02/03/2012] - Assigned CVE-2012-1495 and CVE-2012-1496
[23/04/2012] - Public disclosure

Related for SECURITYVULNS:DOC:27995